Malware Insights
The sample is identified as malicious by ClamAV with multiple signatures, including 'Xls.Trojan.Escape-2' and 'Xls.Trojan.Escape-1'. It contains VBA macros, including an Auto_Open macro, which is a common technique for executing malicious code upon opening the document. The critical heuristic firing for 'CVE_2014_4114' indicates the presence of an OLE package with an executable payload, strongly suggesting exploitation for client execution. The VBA script attempts to copy itself to the Excel startup path and manipulate application events, likely to establish persistence or evade detection.
Heuristics 5
-
CVE-2014-4114 — OLE Package with executable payload critical CVE likely CVE_2014_4114OLE Package CLSID found alongside executable file references — a strong CVE-2014-4114/Sandworm-style package-dropper indicator.
-
ClamAV: Xls.Trojan.Escape-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Escape-2
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basb1dc6e799f600e1fe03c12ee5c927d9c20e72385747b65f9e697c96da1cbf849 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1767 bytes |
|
Detection
ClamAV:
Xls.Trojan.Escape-1
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.