Malicious Office (OLE) / .EXE — malware analysis report

Static analysis result for SHA-256 37a5e4f43fb1803d…

MALICIOUS

Office (OLE) / .EXE

49.5 KB Created: 1999-02-08 09:24:15 Authoring application: Microsoft Excel
MD5: 273ce609f38822c8b3a840ad5b9e3817 SHA-1: 62f9bf1401668c5ba46e9f13f746dc9ac40c0f5a SHA-256: 37a5e4f43fb1803dcba0ae191da075ca270feda6c0afff8eec1454828e72d141
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as a malicious Excel document by ClamAV, specifically 'Xls.Trojan.Divi-2'. It contains VBA macros, including a Workbook_Open event, which is a common technique for automatically executing malicious code upon opening the document. The presence of these macros suggests the file is designed to deliver a payload or perform malicious actions immediately after being opened.

Heuristics 4

  • ClamAV: Xls.Trojan.Divi-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Divi-2
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c6fa29645df232dfa9d1de185316b7e66085afa505e89da5579c79d8664b4406		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 14621 bytes
Detection
ClamAV: Xls.Trojan.Divi-2
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.