Malicious Office (OLE) / .EXE — malware analysis report

Static analysis result for SHA-256 63ca20e950c0f0ea…

MALICIOUS

Office (OLE) / .EXE

33.0 KB Created: 1998-04-09 11:40:16 Authoring application: Microsoft Excel
MD5: 805d40a51b5349b9c59f4cfbd18ab19f SHA-1: 5b84ddb252b5b168e0e070a971148ddd97c2e9e5 SHA-256: 63ca20e950c0f0eac636439fb96abd53158d09161400281cddb0bb46ffa1cfab
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is an Excel 5 macro virus (Laroux) that uses an Auto_Open macro to set up a trigger for its malicious code. It attempts to save itself as PERSONAL.XLS in the startup path, which is a common persistence mechanism. The VBA code explicitly references 'PERSONAL.XLS' and 'auto_open', indicating a clear intent to achieve persistence.

Heuristics 5

  • Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUS
    Legacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a0a899834c7d8d4ef6ea3115986a7debf295d8d0e62963d0fee2c507cbe382a6		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1887 bytes
embedded_office_off00005b31.ole
4a14de369eb5538f93bb1214be37fc40e63e4b4d2ef174b876d7529422f9003f		 embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x5B31 10447 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.