Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 5eebf2118d753340…

MALICIOUS

Office (OLE) / .XLSX

210.0 KB Authoring application: Microsoft Excel
MD5: 200f94d47bef56592c61b358f6a097f4 SHA-1: fe752e0bc12a4abcad30b88b38a6557f13299d71 SHA-256: 5eebf2118d75334034f96bd1977b70ce4d0cc46954fb271db3c725caf5d6b213
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel spreadsheet containing malicious VBA macros. The macros attempt to obfuscate their code and use GetObject to potentially download and execute a second-stage payload. ClamAV detections further confirm the malicious nature of the file, identifying it as Doc.Trojan.Jerk-7 and Doc.Trojan.Jerk-5.

Heuristics 4

  • ClamAV: Doc.Trojan.Jerk-7 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Jerk-7
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
835ef213d48dcc622139875bd463f3d86641a217a1e83808db8c8e47167b2433		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 381932 bytes
Detection
ClamAV: Doc.Trojan.Jerk-5
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.