Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 282c570d328193c5…

MALICIOUS

Office (OLE) / .XLSX

20.0 KB Created: 2004-10-29 23:54:58 Authoring application: Microsoft Excel First seen: 2023-02-05
MD5: 066160861c79554e6af2c8edc19fcfa1 SHA-1: c57221b6f0a0712e60b9ed58ce49100588d45548 SHA-256: 282c570d328193c52c2d29067f191abe93191eb5d577d8f6f71651cbd8daff7d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1547.001 Registry Run Keys / Startup Folder T1059.005 Visual Basic

The critical ClamAV detection and high-severity heuristic for an Auto_Open macro indicate malicious intent. The VBA script attempts to establish persistence by copying itself to the Excel startup folder as 'StartUp.xls' and setting up macro hooks to ensure execution. This behavior is consistent with a macro-based malware dropper aiming for persistence.

Heuristics 3

  • ClamAV: Doc.Macro.Laroux-5893719-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Laroux-5893719-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
79b21a7c777209cbed010937c211fa50ce8f1a7a563e8469017a43761e814fcd		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1606 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.