MALICIOUS
60
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample contains legacy WordBasic macro markers and VBA macros. The VBA code in 'macros.bas' is heavily obfuscated and appears to manipulate form elements and user interface behavior, but its exact malicious function is unclear due to truncation and obfuscation. No direct indicators like URLs or file paths were extracted.
Heuristics 2
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4144 bytes |
SHA-256: c11ceb97ed49ad1c896d51e92869a23805cf887187d3fb609cac14a647c7bf04 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "HaCkErS"
Attribute VB_Base = "0{D8AF4FF8-CD97-11D3-ACD9-900936D3B526}{D8AF4FE9-CD97-11D3-ACD9-900936D3B526}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Dim Teks(4) As String
Private Sub CommandButton1_Click()
Do
With HaCkErS
.Height = .Height - 10
.Width = .Width - 15
If .Height < 25 Then Exit Do
End With
Beep
Loop
Unload Me
End Sub
Private Sub Image1_Click()
End Sub
Private Sub Label2_Click()
End Sub
Private Sub UserForm_Activate()
TT
End Sub
Sub TT()
Dim a As Byte, diam As Boolean
Dim tp&, tm!, sel!, i%
a = 1
diam = True
HaCkErS.Enabled = False
Do
DoEvents
sel = Timer - tm
tp = tp + 1
If tp Mod 300 = 0 Then
Label4.ForeColor = HaCkErS.BackColor
End If
If tp Mod 600 = 0 Then
Label4.ForeColor = &H80000009
End If
If sel > 0.1 Then
tm = Timer
i = i + 1
If a = 4 Then Label1.Font.Size = 14: Label1.Width = Image1.Width
Label1.Caption = Label1.Caption & Mid(Teks(a), i, 1)
If Mid(Teks(a), i, 1) Like "[! ]" Then Beep
If Len(Label1.Caption) = Len(Teks(a)) Then
If diam Then
Do
If Timer - tm > 1 Then Exit Do
DoEvents
Label4.ForeColor = HaCkErS.BackColor
Loop
diam = False
If a = 4 Then GoTo catat
End If
Label2.Move Label2.Left - 9
If Label2.Left <= Label1.Left Then GoSub catat
End If
End If
Loop
Exit Sub
catat:
If a <> 5 Then Label1.Caption = ""
tm = Timer
Label2.Left = Label1.Left + Label1.Width
a = a + 1
i = 0
diam = True
If a = 5 Then
Label4.Visible = False
Frame1.Visible = True
Image1.Visible = True
HaCkErS.Enabled = True
CommandButton1.SetFocus
Image1.Picture = LoadPicture(System.PrivateProfileString("", _
"HKEY_CURRENT_USER\Control Panel\desktop", "Wallpaper"))
Exit Sub
End If
Return
End Sub
Private Sub UserForm_Layout()
Dim waktu%, ShOLaT$
waktu = Val(Format(Time, "hh"))
Select Case waktu
Case 12 To 14
ShOLaT = "ZOHOR"
Case 15 To 17
ShOLaT = "ASHAR"
Case 18 To 18
ShOLaT = "MAGHRIB"
Case 19 To 23
ShOLaT = "ISYAK"
Case 0 To 2
ShOLaT = "ISYA"
Case 5 To 5
ShOLaT = "SUBUH"
Case Else
Label4.Visible = False
End Select
Teks(1) = "hAi sAlaM PeRkeNaLaN DaRi eLiTe! ThE YoUnG 22 HaCkErS ..tULaH SuKa SaNgAt TenGoK CD bIrU..!"
Teks(2) = "iNgAt BiNaTaNg iNi ApO hA...!? ViReX lAh nOgOk!!! kA..Ka..kA...SeKaRaNg SaYa NaK FoRmAt HD U...!!"
Teks(3) = "Buat aWeK 'SINGLE' yang merasa dirinya CuTe & Manis.., Salam dari eLiTe..!"
Teks(4) = "hA..nAk TeNgOk FiLeM BlUe LaGi kE!..pAdAm MuKa HanG!!!..."
Label2.Left = Label1.Left + Label1.Width
Label3.Caption = "By : eLiTe '99" & Chr(13) & Chr(13) & "Thanks to : " & Chr(13) & Application.UserName
Label4.Caption = "Anda Sudah ShoLat " & ShOLaT & "!"
End Sub
Private Sub UserForm_Terminate()
Dim i As Integer
For i = 1 To 100
Beep
Next
End Sub
Attribute VB_Name = "eLiTeFoRm"
Attribute VB_Base = "0{D8AF4FFE-CD97-11D3-ACD9-900936D3B526}{D8AF4FF2-CD97-11D3-ACD9-900936D3B526}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.