Office (OLE) / .EXE malware analysis — malicious · 2aa37c6685876d42

MALICIOUS

Office (OLE) / .EXE

65.5 KB Created: 1980-01-04 17:26:50 Authoring application: Microsoft Excel

MD5: 38669508f5d43487e467a5877d5a9c07 SHA-1: 672e184526705045f4274ac1d765a6b3e5f78557 SHA-256: 2aa37c6685876d42df18f72532ab9807a6deb490e012bc8fabfc1b8a3c8b4645

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1566.001 Spearphishing Attachment

The file is an Excel document identified by ClamAV as Xls.Trojan.Laroux-28. It contains a VBA macro, specifically an Auto_Open macro, which is a common technique for executing malicious code upon opening the document. The macro's purpose is to download and execute a second-stage payload, although the specific details of the payload execution are not discernible from the provided heuristics alone.

Heuristics 4

ClamAV: Xls.Trojan.Laroux-28 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.Laroux-28
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `b2be538da4eed3d1006013753af4523f28663b90a8d512b9f794f895d0e8ab09`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1859 bytes
Detection ClamAV: Xls.Trojan.Laroux-28 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.