MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is a Microsoft Word document containing VBA macros, specifically a Document_Open macro, which is a common technique for initial execution. ClamAV detections indicate it is a known Trojan. The presence of the Document_Open macro suggests the intent is to automatically execute malicious code upon opening the document, likely to download and execute a second-stage payload. No specific family could be identified.
Heuristics 5
-
ClamAV: Doc.Trojan.Marker-40 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Marker-40
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.ptb.be/nouvelles/article/bruxelles-zone-de-guerre.html
- http://www.tbx.be/fr/Dossier/168/app.rvb
- http://xianhenri.be/Fem/design/dyn/5min.html
- http://www.reflexcity.net/bruxelles/communes/anderlecht/rue-emile-carpentier/photos
- http://www.anderlechtensia.be/cureghem.htm
- http://fr.wikipedia.org/wiki/Senne_%28rivi%C3%A8re%29
- http://fr.wikipedia.org/wiki/Les_fous_de_la_Senne
- http://archives.lesoir.be/un-an-apres-les-emeutes-de-cureghem-un-quartier-entre-c_t-19981107-Z0FZVA.html
- http://archives.lesoir.be/plongee-a-cureghem-zone-de-non-droit-vraiment-_t-20100202-00T4Y6.html
- http://archives.lesoir.be/plongee-a-cureghem-zone-de-%AB-non-droit-%BB-vraiment-_t-20100202-00T4Y6.html
- http://archives.lesoir.be/pourquoi-cureghem-est-toujours-aux-urgences_t-20080402-00FHLF.html
- http://archives.lesoir.be/criminalite-une-organisation-criminelle-demantelee-a_t-20100526-00XA4V.html
- http://www.lesoir.be/regions/bruxelles/2010-05-25/anderlecht-tolerance-zero-jusqu-a-nouvel-ordre-772273.php
- http://forums.lesoir.be/index.php?showtopic=45430
- http://www.rtbf.be/info/matin-premiere/la-chronique-de-paul-hermant-184482
- http://delinquance-bxl.skyrock.com/2782033908-Cureghem-n-est-pas-un-ghetto-04-02-2010.html
- http://archives.lesoir.be/?action=search&firstHit=0&queryand=cureghem+%E9meutes&queryor=&querynot=&nomau=&prenau=&when=-2&begDay=01&begMonth=01&begYear=1989&endDay=11&endMonth=09&endYear=1998&sort=datedesc&by=10&rub=TOUT&rechercher=lancer+la+recherche#
- http://archives.lesoir.be/la-gare-de-cureghem-se-meurt-_t-19900216-Z02DAR.html
- http://archives.lesoir.be/cureghem-veut-soigner-son-imago-les-caves-de-cureghem_t-19981203-Z0G36N.html?queryand=%22grande+%E9cluse%22+bruxelles&firstHit=0&by=10&when=-1&begYear=1989&begMonth=01&begDay=01&endYear=2010&endMonth=09&endDay=08&sort=datedesc&rub
- http://archives.lesoir.be/cureghem-veut-soigner-son-imago-les-caves-de-cureghem_t-19981203-Z0G36N.html?queryand=%22grande+%E9cluse%22+bruxelles&firstHit=0&by=10&when=-1&begYear=1989&begMonth=01&begDay=01&endYear=2010&endMonth=09&endDay=08&sort=datedesc&rub=TOUT&pos=7&all=24&nav=1
- http://www.cairn.info/resume.php?ID_ARTICLE=ASSR_143_0069
- http://fr.wikipedia.org/wiki/Senne_%28rivi%C3%A8re%29www.sennezenne.behttp://fr.wikipedia.org/wiki/Les_fous_de_la_SenneLes
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas5f4373860bf6ec445c4fd0b0d8ce575e409f2cff46a1bc1aa24747a12e40ec93 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4268 bytes |
|
Detection
ClamAV:
Doc.Trojan.Marker-2
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.