Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 988233fd2fde72ba…

MALICIOUS

Office (OLE)

71.0 KB Created: 2000-10-25 19:36:37 Authoring application: Microsoft Excel
MD5: 150d89f2cff362a7c018a57663c47e24 SHA-1: e49382852afc511935d4e7f4726fa98cd098e602 SHA-256: 988233fd2fde72baf1ddb558ea779b68e34a60b918aa7d881a3db327f48f3181
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Office document containing VBA macros, specifically triggering AutoOpen and Auto_Open functions, which are commonly used to execute malicious code upon document opening. ClamAV detections indicate it is a known trojan. The presence of macros suggests the intent is to download and execute a secondary payload, a common tactic for trojans.

Heuristics 6

  • ClamAV: Doc.Trojan.Xshell-6923080-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Xshell-6923080-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
87c93c31a3dca39a498392d937d6433d5be33bc4bee03bd56ac64864decdd83e		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 7337 bytes
Detection
ClamAV: Win.Trojan.C-286
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.