Office (OLE) / .XLSX malware analysis — malicious · 35f6556b1b0e9a89

MALICIOUS

Office (OLE) / .XLSX

27.0 KB Created: 2000-04-17 09:43:24 Authoring application: Microsoft Excel

MD5: 7ce2a6c6a09a563417c5c0c853c9aea2 SHA-1: 40d303cd814b84b3ac9953d74a5f9fb3c8c2232c SHA-256: 35f6556b1b0e9a89e79e61210c1f5e44f6d2c98afda0288317505added3cda2d

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel spreadsheet containing VBA macros, with a critical heuristic indicating it's a known malicious artifact (Xls.Trojan.PTH-2). The presence of an Auto_Open macro suggests immediate execution upon opening. The VBA code attempts to copy itself to the user's PERSONAL.XLS file, indicating an attempt at persistence and potentially further payload execution, though the script is truncated.

Heuristics 3

ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `06c61f4b1bdcf098a5bd9cf2c6dce4c0905b5ec0f4ef0584f3162381b0a1c994`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6482 bytes
Detection ClamAV: Xls.Trojan.PTH-2 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.