MALICIOUS
520
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1204.002 Malicious File
The sample is identified as a malicious Excel Trojan (Xls.Trojan.War-2) due to the presence of critical VBA macro heuristics, including Auto_Open, Shell(), and CreateObject calls. The Auto_Open macro attempts to establish persistence by creating directories and saving a file to the startup path, likely to download and execute further malicious content. The VBA code also contains references to 'BackDoor' and 'Email', suggesting its function as a backdoor and potential phishing tool.
Heuristics 12
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
ClamAV: Xls.Trojan.War-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.War-2
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 278,696 bytes but its declared streams total only 0 bytes — 278,696 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMSThe file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.base93fc98f1d229433111d82a2c5cc1ad5ff4753402521f04348da49fb73b5b295 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 481771 bytes |
|
Detection
ClamAV:
Xls.Trojan.War-2
Obfuscation or payload:
unlikely
|
|||
embedded_office_off00006b58.ole9c20b2211cda4710e23eaf79149ccee2b3de57cd71eec4719812a2a0de09a80c |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x6B58 | 278696 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.