Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5e20f07ae987e4b3…

MALICIOUS

Office (OLE)

74.0 KB Created: 2008-12-08 06:54:20 Authoring application: Microsoft Excel
MD5: e5371097ac2ece8c8bc39c5b67bc194a SHA-1: a93a8f1bac9c04f0abc0245b3f46465dfce370f5 SHA-256: 5e20f07ae987e4b32e8f387cfc786f80fcfc1e7e7869682363105aa9de9ddb72
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is an Excel file containing VBA macros, specifically an Auto_Open macro. This macro attempts to copy itself to the Excel startup directory as 'StartUp.xls' to achieve persistence. It also sets up various event handlers to maintain its presence and potentially evade detection. The document body contains a mix of Chinese and English text related to business and contact information, which appears to be a lure.

Heuristics 3

  • ClamAV: Doc.Macro.Laroux-5893719-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Laroux-5893719-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b35f884f1ab3c6e6c1dbe2d6db716dba0e1ebba6f7c888a0fd88da628484a892		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1912 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.