Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6a7abf760866d088…

MALICIOUS

Office (OLE)

157.0 KB Created: 2004-11-15 10:49:04 Authoring application: Microsoft Excel
MD5: 9775b09050f2860a43410a992a05129e SHA-1: dd9d1fcdb15da7dd99cfe00684b827f09ec5f7a7 SHA-256: 6a7abf760866d088d9339688c778389d33dc397038aa4b1c8e2d9d8a2b4b7268
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1546.003 Event Triggered Execution

The critical ClamAV detections indicate this is a malicious Excel file. The presence of an Auto_Open macro and the VBA script's logic to copy itself to the StartupPath as 'StartUp.xls' strongly suggests an attempt to achieve persistence. The script also attempts to hook Excel's sheet activation and hotkey events, further indicating malicious intent.

Heuristics 4

  • ClamAV: Ppt.Malware.Laroux-10036124-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Ppt.Malware.Laroux-10036124-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
8438e44621d0a431b581fbc4dd9b5375d028c0f3ab40a1c33d467dd02cfca27e		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 6599 bytes
Detection
ClamAV: Xls.Trojan.Escape-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.