Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8df6010b615eae0f…

MALICIOUS

Office (OLE)

32.5 KB Created: 2002-07-13 19:44:55 Authoring application: Microsoft Excel
MD5: f5cbf6255c750467e72ddb2fd8cbf369 SHA-1: 307313ad1cf8ad96326ce7312c1c909c209ad624 SHA-256: 8df6010b615eae0f64506022747a044d69fc3d8b8300b486b788637fc6b9c154
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Office document containing VBA macros, specifically an Auto_Open macro, which is a common technique for initial execution. ClamAV detections indicate it is malicious, with one signature pointing to the Laroux family and another to the Escape trojan. No document body text was available for analysis, but the presence of macros and the ClamAV detections strongly suggest a malicious intent, likely to download and execute a secondary payload.

Heuristics 4

  • ClamAV: Ppt.Malware.Laroux-10036124-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Ppt.Malware.Laroux-10036124-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
82edb86a6b3f5f9892c8a187393fc74fcd65343fe82fa9aff7c659f1fa16ff16		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3936 bytes
Detection
ClamAV: Xls.Trojan.Escape-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.