Office (OLE) / .XLSX malware analysis — malicious · 808bec7e30b2fd0a

MALICIOUS

Office (OLE) / .XLSX

781.5 KB Created: 2022-02-07 07:23:36 Authoring application: Microsoft Excel First seen: 2023-02-06

MD5: 5207655bc13da086957c459058932a4b SHA-1: a9986da508b9eb444797d9786b03326961961405 SHA-256: 808bec7e30b2fd0abdfcdb4623783e0b64a9827d26d397d37bea35aa483c83c5

168 Risk Score

Malware Insights

MITRE ATT&CK

T1547.001 Registry Run Keys / Startup Folder T1059.005 Visual Basic

The sample is an Excel file containing VBA macros, including Auto_Open and Auto_Close functions, which are indicative of malicious intent. The Auto_Open macro attempts to copy the workbook to the Excel startup folder as 'mypersonnel.xls', establishing persistence. The document body contains shipping and payment-related text, likely serving as a lure. The ClamAV detection further confirms its malicious nature.

Heuristics 5

ClamAV: Xls.Malware.ExcelSic-10004731-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.ExcelSic-10004731-1
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `d49b3eed57ea333340314eacd5bf3454f6a2ba3085f3bfa723034dd1a2d97cfb`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1510 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.