Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 50a9474a2d75a0c7…

MALICIOUS

Office (OLE) / .XLS

28.5 KB Created: 1996-10-21 11:03:58 Authoring application: Microsoft Excel
MD5: 9da108c1bc54b08ac833cda973b726f5 SHA-1: b34c899734d0fb7cabc9959694de8fa46bb09018 SHA-256: 50a9474a2d75a0c713be84050073b87c74902ecc89b2befc67bd533b1edc736e
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1566.001 Spearphishing Attachment

The file is an Excel spreadsheet containing VBA macros, specifically a Workbook_Open macro, which is a common technique for executing malicious code upon opening. The document body presents a plausible lure related to hospital commissions and advancement, aiming to trick the user into enabling macros. The presence of a Workbook_Open macro strongly suggests the intent to download and execute a second-stage payload.

Heuristics 4

  • ClamAV: Xls.Trojan.Divi-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Divi-2
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a97f8549d0bf05a7e73af7208e4ffb0fa6d2b20b30b7385cb263c0549e6d004a		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 13863 bytes
Detection
ClamAV: Xls.Trojan.Divi-2
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.