Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 8b2a3ad3b8d49706…

MALICIOUS

Office (OLE) / .XLS

44.5 KB Created: 1996-10-21 11:03:58 Authoring application: Microsoft Excel
MD5: 997c390a7191f89123172d9925ed7028 SHA-1: 839d417f1b85a1a9fb8f704c41934921ffcb1de7 SHA-256: 8b2a3ad3b8d4970679a2cdaf19f0b149c45e9ee936c0f7d8a87f7e2280c3be12
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an Excel file identified as malicious by ClamAV with the signature Xls.Trojan.Divi-2. It contains VBA macros, specifically a Workbook_Open macro, which is a common technique for executing malicious code upon opening the document. The document body contains what appears to be a list of names and job titles, likely a lure to disguise the malicious nature of the spreadsheet. No specific IOCs like URLs or file paths were extracted from the macros themselves.

Heuristics 4

  • ClamAV: Xls.Trojan.Divi-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Divi-2
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
61ff312172532da51873dc94f427aa2fcbd382ebc484f6ef875e77323317df2c		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 13864 bytes
Detection
ClamAV: Xls.Trojan.Divi-2
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.