MALICIOUS
80
Risk Score
Heuristics 2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Application.OrganizerCopy _
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3340 bytes |
SHA-256: f37da605a29d0981a53e056f915ddf623c5bf37cd6f3d89a96e8ae8eb4ac2268 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Project.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Modul_CD"
' Makros für Erstellung neuer Dokumentvorlagen mit ND48 auf der Grundlage der CI/CD-Basisdokumente
' 30.07.08
Sub AutoNew()
' Autostart-Makro kopiert alle Makros des Moudul_CD in das neue Dokument
Application.OrganizerCopy _
Destination:=ActiveDocument.FullName, _
Source:=ActiveDocument.AttachedTemplate.FullName, _
Name:="Modul_CD", _
Object:=wdOrganizerObjectProjectItems
End Sub
Sub Titelgrafik_Loeschen()
'
' Makro aufgezeichnet am 30.07.2008 von Spengler.H
'
If ActiveWindow.View.SplitSpecial <> wdPaneNone Then
ActiveWindow.Panes(2).Close
End If
If ActiveWindow.ActivePane.View.Type = wdNormalView Or ActiveWindow. _
ActivePane.View.Type = wdOutlineView Then
ActiveWindow.ActivePane.View.Type = wdPrintView
End If
ActiveWindow.ActivePane.View.SeekView = wdSeekCurrentPageHeader
Selection.HeaderFooter.Shapes(1).Select
Selection.ShapeRange.Delete
ActiveWindow.ActivePane.View.SeekView = wdSeekMainDocument
End Sub
Sub AlleFelderAktualisieren()
Dim rngDoc As Range
Dim oDoc As Document
Set oDoc = ActiveDocument
For Each rngDoc In oDoc.StoryRanges
rngDoc.Fields.Update
While Not (rngDoc.NextStoryRange Is Nothing)
Set rngDoc = rngDoc.NextStoryRange
rngDoc.Fields.Update
Wend
Next rngDoc
End Sub
Sub TitelEinfuegen()
With Dialogs(wdDialogInsertPicture)
If .Display = -1 Then
Dim mypicture
Set mypicture = ActiveDocument.Shapes.AddPicture(FileName:=.Name)
mypicture.LockAspectRatio = msoFalse
mypicture.WrapFormat.Type = 3
mypicture.RelativeHorizontalPosition = wdRelativeHorizontalPositionPage
mypicture.RelativeVerticalPosition = wdRelativeVerticalPositionPage
mypicture.Top = CentimetersToPoints(0)
mypicture.Left = CentimetersToPoints(0)
mypicture.Width = CentimetersToPoints(21)
mypicture.Height = CentimetersToPoints(29.7)
mypicture.Select
Selection.Cut
End If
End With
' Kopf-Fusszeile
If ActiveWindow.View.SplitSpecial <> wdPaneNone Then
ActiveWindow.Panes(2).Close
End If
If ActiveWindow.ActivePane.View.Type = wdNormalView Or ActiveWindow. _
ActivePane.View.Type = wdOutlineView Or ActiveWindow.ActivePane.View.Type _
= wdMasterView Then
ActiveWindow.ActivePane.View.Type = wdPageView
End If
ActiveWindow.ActivePane.View.SeekView = wdSeekCurrentPageHeader
' vorhandenes Titelbild löschen
ActiveWindow.ActivePane.View.SeekView = wdSeekCurrentPageHeader
Selection.HeaderFooter.Shapes(1).Select
Selection.ShapeRange.Delete
' neues Titelbild einfügen
Selection.Paste
Selection.ShapeRange.ZOrder msoSendToBack
Selection.ShapeRange.ZOrder msoSendBehindText
ActiveWindow.ActivePane.View.SeekView = wdSeekMainDocument
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.