Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 1925d5477c9c92ea…

MALICIOUS

Office (OLE) / .XLS

43.5 KB Created: 2009-08-20 07:57:27 Authoring application: Microsoft Excel
MD5: 2cd2b47cce2eee6beffa91aa4a001036 SHA-1: f4501a2aab0a355c232ea261ed2690fd6b8e2d75 SHA-256: 1925d5477c9c92ea50d3f83214c6ec7f30e7edc79c782ed6fa5bba51c10d74b2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is an Excel spreadsheet containing VBA macros. The 'auto_open' macro attempts to copy itself to the Excel startup directory as 'StartUp.xls'. It also registers a macro ('cop') to be executed whenever a sheet is activated, likely to maintain persistence or evade detection. The document body contains organizational information, which appears to be a lure.

Heuristics 3

  • ClamAV: Doc.Macro.Laroux-5893719-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Laroux-5893719-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
9e8ce1401c4739b83f9e6a6842670f92d64e220d4214f18d0db5f915102b51a3		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1176 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.