Xls.Trojan.Escape Office (OLE) / .XLS malware analysis — malicious · 2c57c7e097b744cf

MALICIOUS

Office (OLE) / .XLS

53.5 KB Created: 1997-01-14 01:50:29 Authoring application: Microsoft Excel

MD5: 0b98f72c91948d9e665051b111384d0d SHA-1: 730689f0dfd66f69bb0770541e1bab70d498b1bd SHA-256: 2c57c7e097b744cffacc0358ecb26c5695c047f9665bc6e2af4d0fe41f9dc1cf

180 Risk Score

Malware Insights

Xls.Trojan.Escape · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1566.001 Spearphishing Attachment

The file is an Excel spreadsheet containing VBA macros, specifically an Auto_Open macro, which is a common technique for executing malicious code upon opening. ClamAV detections for 'Xls.Trojan.Escape-2' and 'Xls.Trojan.Escape-1' strongly indicate a trojan. The document body content appears to be a Bill of Materials, likely a lure to disguise the malicious macro.

Heuristics 4

ClamAV: Xls.Trojan.Escape-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.Escape-2
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `df0db2b736b6c198afb0d1338be15f877e7b5ce9ad88e18698ac06d145dfcb65`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1988 bytes
Detection ClamAV: Xls.Trojan.Escape-1 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.