MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV and contains legacy WordBasic AutoOpen macro markers. The VBA script, specifically the AutoOpen subroutine, is designed to execute when the document is opened. While the script is truncated, it contains references to user interface elements and string manipulation, suggesting it attempts to download or execute further malicious content. The presence of 'www.coderz.net/ultras' in a message box suggests a potential command and control or download URL.
Heuristics 4
-
ClamAV: Doc.Trojan.VVSC-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.VVSC-3
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9987 bytes |
SHA-256: a8a1e7c050ddb8be016859b2de349026c85f40931a126cbfe39a38018d9693f0 |
|||
|
Detection
ClamAV:
Doc.Trojan.VVSC-3
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "UABOUT"
Attribute VB_Base = "0{CD4ACF10-5AC7-11D3-AF98-C6AED364577C}{CD4ACEE0-5AC7-11D3-AF98-C6AED364577C}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CommandButton5_Click()
UABOUT.Hide
UMAIN.Show
End Sub
Private Sub CommandButton6_Click()
MsgBox "www.coderz.net/ultras"
End
Documents.Close
End Sub
Attribute VB_Name = "ULTRAS"
Sub AutoOpen()
On Error Resume Next
USTART.Show
End Sub
Attribute VB_Name = "UMAIN"
Attribute VB_Base = "0{CD4ACEF6-5AC7-11D3-AF98-C6AED364577C}{CD4ACEE8-5AC7-11D3-AF98-C6AED364577C}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CommandButton1_Click()
End
Documents.Close
End Sub
Private Sub CommandButton2_Click()
UMAIN.Hide
UABOUT.Show
End Sub
Private Sub CommandButton3_Click()
On Error Resume Next
'hdfghdfhghdfgiuryuighfhdfghjgdfjihe
Dim this, that, Fcon As String
'y6456frdhjfghjdghjfghgfhgdhghfghdf
Set Con = New DataObject
'MaCro ENcRyPtoR bY ULTRAS (c)1998
If Text = "" Then
'fhgjydfihyghhdfghgfherghfghihdggc
MsgBox "You nor what and did not insert", vbCritical, "Misentry"
'jfrghdhgfhegfhygeryhrghjfghdjgfhgteyu
End
'fgthjrythjighhjdfhgrthguiruiygghhrh
End If
'krugytryitjgirugihrgirtyuigtyghrthiu
lent = Len(Text)
'fhgjiyfrigyrjigjirjitgjirghjigjigth
For countout = 1 To lent
'rthgirefghjfrhjighhrthjighghfgthhgrt
ToConvert = Mid(Text, countout, 1)
'zdgdfhgfyguy9999uryughrjkghrtyguruty
For u = 1 To 400
'jrgyuryuhd554khvhjgdhgvhdfghgvdfhhfvgh
that = Chr(u)
'hdfjgdhgdhjfg586jgdhfgvhdfhjgdfhjsdhj
If that = ToConvert Then
'dhfgkjhdjfhvidg85bxbjvcfcvhdghfryeue
Fcon = Fcon + "Chr(" & u & ")"
'ysdhfigdshgfhjs5467hjfgshjghjcgbshfuieutuwq
If countout <> lent Then Fcon = Fcon + " + "
'jdfghjdvuvcxbh12334yruifuyfrusdgfh
GoTo drop
'65347erthghdfgh333fhgfehrhdghgfrugeruyegr
End If
'zcxhsd45456yfudsjdfjidhgdhfghruiguiighrhtui
Next u
'rtegfgdgfhjgehrgfhgehfghueyureyufr44565674
drop:
'fgiehfygyuiergyuiyie456eyryifghdfhfghjdfghhj
Next countout
'fhgihrdfuiyguirfigdhhuigreyuieyurtyue3476rhdf
MsgBox "You Encrypt text copy in """ & UMAIN.txtVirus & """ file", vbExclamation, "Macro Encryptor by ULTRAS"
'khdfgjdfhgyhdfhghdr4568rghjdfghgffjhgfdgfg
live = "" & UMAIN.txtVirus & "" & ".txt"
Open live For Output As #1
Print #1, ""
Print #1, "' MACRO ENCRYPTOR by ULTRAS"
Print #1, "' Version 1.0c"
Print #1, ""
Print #1, "' You text:"
Print #1, "' ~~~~~~~~~"
Print #1, "" & UMAIN.Text
Print #1, ""
Print #1, "' Encrypt text:"
Print #1, "' ~~~~~~~~~~~~~"
Print #1, "" & Fcon
Close #1
End Sub
Attribute VB_Name = "USTART"
Attribute VB_Base = "0{CD4ACF14-5AC7-11D3-AF98-C6AED364577C}{CD4ACEEA-5AC7-11D3-AF98-C6AED364577C}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CommandButton1_Click()
USTART.Hide
UMAIN.Show
End Sub
Private Sub Image1_Click()
MsgBox "www.coderz.net/ultras"
End Sub
' Processing file: /opt/analyzer/scan_staging/b6a9a2bead944829aab6b391f9e75f78.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 919 bytes
' Macros/VBA/UABOUT - 2139 bytes
' Line #0:
' Line #1:
' FuncDefn (Private Sub CommandButton5_Click())
' Line #2:
' Ld UABOUT
' ArgsMemCall Hide 0x0000
' Line #3:
' Ld UMAIN
' ArgsMemCall Show 0x0000
' Line #4:
' EndSub
' Line #5:
' Line #6:
' FuncDefn (Private Sub CommandButton6_Click())
' Line #7:
' LitStr 0x0015 "www.coderz.net/ultras"
' ArgsCa
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.