Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 9af99d2feebe118a…

MALICIOUS

Office (OLE) / .XLS

804.0 KB Created: 2010-07-30 11:03:09 Authoring application: Microsoft Excel
MD5: 6d10e23246c5a4f7d2afcb8fa80d72da SHA-1: 090933d91d83620e0b506932c212f51e9d8e243e SHA-256: 9af99d2feebe118aa56db50ebf34965c1287ab5d84bb48709c50762e7a386bd3
122 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is an Excel spreadsheet containing a high-severity Auto_Open VBA macro, which is a common technique for executing malicious code upon opening. The ClamAV detection 'Doc.Macro.Laroux-5893719-0' further confirms its malicious nature. No specific malware family could be identified from the available heuristics and embedded content.

Heuristics 5

  • ClamAV: Doc.Macro.Laroux-5893719-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Laroux-5893719-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
8b60aa517d6fb98c30205cd4a70f6eb4ca70661bddd34fc334380124111991e2		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 68801 bytes
ole10native_00.bin
99a6b6c29dc0ce9c833656fdae72d54fbd013b0184e5bb19634af5666f155a18		 ole-package OLE Ole10Native stream: MBD0A123AE3/Ole10Native 127551 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
ole10native_01.bin
1e0f75810b27f7fd01622406fa3cd412bed8c0aa398452e954923efbc23b6c03		 ole-package OLE Ole10Native stream: MBD0A123D5E/Ole10Native 119470 bytes
ole10native_02.bin
741b7b85aeaf4b392739a1db17c8c17e06423de357719e91f2dcebe560eb076b		 ole-package OLE Ole10Native stream: MBD0A1244D3/Ole10Native 118436 bytes
ole10native_03.bin
11b4425604c2cd66e67c07caa8c0175fa96b3bb9c141b9ac11eb289f3fd06663		 ole-package OLE Ole10Native stream: MBD0B5B11A2/Ole10Native 35693 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.