Based on our analysis of other malicious VBA-based samples, the functions “ShellExecute”, “Shell”, “WScript.Shell”, and “Run” are usually called to execute DOS commands.
#CARRIER COMMAND 2 VIRUS BOTS CODE#
So I extracted the VBA code from it.Īs you can see from the above VBA code, there is a function named “Auto_Open”, which is called automatically when the file is opened in Excel. The OLE structure of this sampleįrom the parsing result of the OLE file analysis tool, the malicious VBA code exists in the Module1 stream. Here is the OLE structure of this sampleįigure 2.Its original file name is “payment.xls”, which was detected as virus “WM/Agent.D9E2!tr.dldr” by Fortinet because it contains malicious VBA code. The file in this example is an OLE format Excel file that was collected on Feb 27, 2017. Once the macro function is enabled, the malicious VBA code inside the sample is executed. When the infected file is opened in Excel, a message pops up asking the user to enable the macro security option by clicking the “Enable Content” button. I’ll use two examples to explain how Excel files can be used to spread malware. Normally, VBA is used to develop programs for Excel to perform some tasks. VBA is a programming language used by Microsoft Office suite. xlsm) that spread malware by executing malicious VBA (Visual Basic for Applications) code. Lately, Fortinet has collected a number of email samples with Excel files attached (.xls. Now it seems that it is becoming more and more popular to spread malware using malicious Excel files. Over the last few years we have received a number of emails with attached Word files that spread malware.
0 kommentar(er)
