Malicious Office (OLE) / .EXE — malware analysis report

Static analysis result for SHA-256 6d2dcee409c9d373…

MALICIOUS

Office (OLE) / .EXE

70.0 KB Created: 1999-02-08 09:24:15 Authoring application: Microsoft Excel
MD5: 3619681862c760dac2147e2c8eadd386 SHA-1: 4b110ca9df4b54644a3de2e8f40301691bb2815b SHA-256: 6d2dcee409c9d37345cec350dfab62b0b5cb0ea4a968abfd58d2cce268712ed4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is an Excel macro-enabled file containing VBA code. The 'auto_open' subroutine triggers the 'check_files' subroutine, which is designed to copy a sheet named 'xxx' from the active workbook into a new file named 'PERSONAL.XLS' in the Excel startup path, thereby establishing persistence. This behavior is characteristic of older macro viruses.

Heuristics 3

  • Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUS
    Legacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a506d95ad30fce24397a2de81d13fc5570e58ca382726e966acddfdac24e2cdf		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1900 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.