Xls.Trojan.Jin-1 — Office (OLE) / .XLSX malware analysis

Static analysis result for SHA-256 26e98d0aa340b076…

MALICIOUS

Office (OLE) / .XLSX

66.0 KB Created: 1999-03-22 14:02:07 Authoring application: Microsoft Excel
MD5: 5c7e83218c24bfec8e151ba1426d60bf SHA-1: f71cb5b60def971b349568343dd64d4d6ccd5c62 SHA-256: 26e98d0aa340b0766db57c54130b167770ecbc97ba40645a31135e7c676b9a7c
180 Risk Score

Malware Insights

Xls.Trojan.Jin-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an Excel spreadsheet containing VBA macros, specifically an Auto_Open macro. This macro is designed to infect other open workbooks by copying its own sheets into them and then saving the infected workbook with the original name, effectively overwriting it. The ClamAV detection of 'Xls.Trojan.Jin-1' further supports its malicious nature. The VBA code attempts to hide its actions by manipulating application settings and worksheet visibility.

Heuristics 4

  • ClamAV: Xls.Trojan.Jin-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Jin-1
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
4ea9f92e26fb1ce8679c97c19a11eb76dda06f158d68c17500e28a18a1a63484		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 17477 bytes
Detection
ClamAV: Xls.Trojan.Jini-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.