Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 63f044a0643cc8c6…

MALICIOUS

Office (OLE) / .XLS

61.5 KB Created: 2020-08-23 14:59:56 First seen: 2022-04-02
MD5: fa0b15330c8ea15cf0f2d70927bf9e9c SHA-1: ad9bbac1d9bbe7a953ffc70e5dbbaeca9004ba58 SHA-256: 63f044a0643cc8c69550bfe15954b38d66786e4b5be97d532a980aa5add58824
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is an Excel file containing VBA macros, specifically an Auto_Open macro designed to execute upon opening. The macro attempts to establish persistence by copying itself to the Excel startup folder as 'mypersonnel.xls' and also attempts to save a copy as 'mypersonel.xls' in the XLSTART directory. The Auto_Close macro also contains logic to save the workbook, potentially to obfuscate its presence or format. The document body appears to be a benign school timetable, suggesting a lure.

Heuristics 4

  • ClamAV: Xls.Malware.ExcelSic-10005885-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.ExcelSic-10005885-1
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
0e027d7c75d49f79cc7aa4389acfebf7b55f41d2ad86258589318b07847f19ae		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1816 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.