Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 324295afd8eb75c9…

MALICIOUS

Office (OLE) / .XLSX

2.98 MB Created: 2000-04-03 09:32:09 Authoring application: Microsoft Excel
MD5: c9df63f76afcb1d1e170eb6c26ae544b SHA-1: c6c1bc9940039260f8ac3b92ecb7635b73722c5c SHA-256: 324295afd8eb75c91de32b0a079df340139d4f2ce35e5aa15c6aa4f0dd8cac18
180 Risk Score

Malware Insights

MITRE ATT&CK
T1547.001 Registry Run Keys / Startup Folder T1059.005 Visual Basic

The critical ClamAV heuristic indicates this is a known malicious Excel file (Xls.Trojan.BMV-1). The presence of an Auto_Open macro, identified by the OLE_VBA_AUTO heuristic, suggests immediate execution upon opening. The script saves a copy of the workbook to the XLStart directory as 'XlStart\BMV.xls', which is a common technique for establishing persistence. The script's intent is to save a copy of itself to the XLStart directory for persistence.

Heuristics 4

  • ClamAV: Xls.Trojan.BMV-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.BMV-1
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
6b691004e3fa2a967b8e088dc4445a46a5965827dd6100750607e969a7de2560		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 24122 bytes
Detection
ClamAV: Xls.Trojan.BMV-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.