Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 99ebed80870d1b15…

MALICIOUS

Office (OLE) / .XLSX

781.5 KB Created: 2022-02-07 07:23:36 Authoring application: Microsoft Excel First seen: 2023-02-06
MD5: adb2b179d36fef5f1a98a72fd9ebf915 SHA-1: 3acd8f5870eea88ea41bce2e62beaff9799ea570 SHA-256: 99ebed80870d1b156b8d5a3efd2e69605e5809f8ce39972d391b2772b9756043
168 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.005 Visual Basic T1059.001 PowerShell

The file is detected as malicious by ClamAV and contains VBA macros, including Auto_Open and Auto_Close functions, indicating an attempt to execute code upon opening or closing the document. The document body contains shipping and payment-related text, suggesting a lure for financial or logistical scams. The Auto_Open macro attempts to save a copy of itself as 'mypersonnel.xls' in the Excel startup directory, likely to establish persistence or facilitate further execution.

Heuristics 5

  • ClamAV: Xls.Malware.ExcelSic-10004731-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.ExcelSic-10004731-1
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
d49b3eed57ea333340314eacd5bf3454f6a2ba3085f3bfa723034dd1a2d97cfb		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1510 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.