Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 666d3bca9867aa70…

MALICIOUS

Office (OLE) / .XLS

275.5 KB Created: 2001-05-31 13:44:49 Authoring application: Microsoft Excel
MD5: 880d1390bfe975b6d75c9df2ae99ac0f SHA-1: e285de5e01acac45ae5d0c36603f16640141894a SHA-256: 666d3bca9867aa70efe45bc822bcefa222580da29482defe19c53b3dc7a24414
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is an Excel file containing VBA macros, specifically an Auto_Open macro. This macro attempts to copy itself to the Excel startup path as 'StartUp.xls', which is a persistence mechanism. The script also contains logic to delete sheets from other workbooks, likely to evade detection or analysis. The ClamAV detection 'Doc.Macro.Laroux-5893719-0' further supports its malicious nature.

Heuristics 3

  • ClamAV: Doc.Macro.Laroux-5893719-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Laroux-5893719-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
6e5a99183d4be3f696969f4aa304d3f1f55e17015a84da4bf6e67237b4581e7d		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1917 bytes
ole10native_00.bin
078db1159ac96c8596a2ce13b7a157c9eada4d3907b2a9622a7b997345f2b1ed		 ole-package OLE Ole10Native stream: MBD046B7431/Ole10Native 76260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.