Office (OLE) / .XLS malware analysis — malicious · 4d33b45054710b89

MALICIOUS

Office (OLE) / .XLS

981.5 KB Created: 2010-05-18 02:32:04 Authoring application: Microsoft Excel

MD5: a5fb5f1d2a4363802f81954b53044e71 SHA-1: b0ced28ad6ddcf278a8344b1a2cda00852dae89a SHA-256: 4d33b45054710b89b6ae6b52846d8af7453dceb1434dd74975741d68a946c7b6

240 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious Link T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file is an Excel spreadsheet containing VBA macros, including an Auto_Open macro, which is a common delivery mechanism for malware. Critical heuristics indicate the exploitation of CVE-2014-4114 via an OLE package, and ClamAV detections confirm its malicious nature. The document body content appears to be unrelated to the malicious functionality, suggesting it's a lure.

Heuristics 5

CVE-2014-4114 — OLE Package with executable payload critical CVE likely CVE_2014_4114

OLE Package CLSID found alongside executable file references — a strong CVE-2014-4114/Sandworm-style package-dropper indicator.
ClamAV: Xls.Trojan.Escape-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.Escape-2
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `b1dc6e799f600e1fe03c12ee5c927d9c20e72385747b65f9e697c96da1cbf849`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1767 bytes
Detection ClamAV: Xls.Trojan.Escape-1 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.