Win.Trojan.Tristate-2 Office (OLE) / .XLS malware analysis — malicious · 74e26030fb81efa2

MALICIOUS

Office (OLE) / .XLS

244.5 KB Created: 1999-01-10 17:57:08 Authoring application: Microsoft Excel

MD5: da52343701c9f1099b960f39d6cd2a41 SHA-1: 86f8b1196e3374aa7760de31f7dcee3fbafa3ea2 SHA-256: 74e26030fb81efa23e557f4ce18ef3b90896d076fb5bbed5201d3151d77f8da6

160 Risk Score

Malware Insights

Win.Trojan.Tristate-2 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel spreadsheet containing a Workbook_Open VBA macro, which is a common technique for executing malicious code upon opening. The macro displays a message box claiming to be for educational purposes and then calls a 'start' subroutine. This subroutine loads and shows a user form, likely as a lure or to prepare for a secondary payload. The ClamAV detection explicitly identifies it as Win.Trojan.Tristate-2.

Heuristics 4

ClamAV: Win.Trojan.Tristate-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Tristate-2
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `0da5c229ee4bb416b98b69cbab315ef96895fa5c72d8e73a81fc66fc61f498c3`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	56466 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.