Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 3ac1fbbdb744166e…

MALICIOUS

Office (OLE) / .XLSX

715.5 KB Created: 2011-11-16 01:40:05 Authoring application: Microsoft Excel First seen: 2023-02-06
MD5: aa09bb0668e6de623a03dc57124bd77f SHA-1: bf0c7e701c21dce6378b06056408af36a7df23de SHA-256: 3ac1fbbdb744166ec3f8b61d0b9648ebca3ee09ed1414b4c9de45ea99206552f
160 Risk Score

Malware Insights

MITRE ATT&CK
T1547.001 Registry Run Keys / Startup Folder T1547.001 Registry Run Keys / Startup Folder T1059.005 Visual Basic

The file contains VBA macros, including an Auto_Open subroutine, which is a common technique for executing malicious code upon opening a document. The script attempts to copy itself to the Excel startup path as 'mypersonnel.xls' and also 'mypersonel.xls', suggesting an attempt at persistence or further execution. The ClamAV detection further supports its malicious nature.

Heuristics 4

  • ClamAV: Xls.Malware.ExcelSic-10004731-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.ExcelSic-10004731-1
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
0e027d7c75d49f79cc7aa4389acfebf7b55f41d2ad86258589318b07847f19ae		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1816 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.