Win.Trojan.Ag-1 — Office (OLE) / .XLS malware analysis

Static analysis result for SHA-256 75b1ad1d0dfbffd5…

MALICIOUS

Office (OLE) / .XLS

504.0 KB Created: 2010-04-04 16:44:52 Authoring application: Microsoft Excel
MD5: 6b4cd800be7232f656caed943e177dba SHA-1: e14a275e7eeab762400e7f86c73786e5a5898a53 SHA-256: 75b1ad1d0dfbffd5f40e23686350a5b9601c7772a056815783d8d2d4df0ada79
362 Risk Score

Malware Insights

Win.Trojan.Ag-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

The file is an Excel spreadsheet containing a Workbook_Open VBA macro that triggers the execution of embedded OLE packages. These packages, identified as ole10native_00.bin and ole10native_03.bin, are flagged as containing auto-executable payloads. The presence of ShellExecute and LoadLibrary API calls further suggests the execution of external code, consistent with a trojan dropper.

Heuristics 9

  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • ClamAV: Win.Trojan.Ag-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Ag-1
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
70f9587aa126142bf03924fc8178340d08545dcb67b0525d19e12912dbb16038		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1630 bytes
ole10native_00.bin
d6e8e8703f2be0eb59aeedf273ddb2f1f29975ad472271939ef3034d7104c5a2		 ole-package OLE Ole10Native stream: MBD000D66A5/Ole10Native 111947 bytes
Detection
ClamAV: Win.Trojan.Ag-1
Obfuscation or payload: likely
Carved artifact entropy is 7.74, consistent with packed or encrypted content.
ole10native_03.bin
baf5d516df767389a7ccb4ca89d0bef53d29b4ed4c3aa797ed597c2a6fe9e9ac		 ole-package OLE Ole10Native stream: MBD004283CC/Ole10Native 111926 bytes
Detection
ClamAV: Win.Trojan.Ag-1
Obfuscation or payload: likely
Carved artifact entropy is 7.74, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.