Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 9c9a52adb2f930f1…

MALICIOUS

Office (OLE) / .XLS

64.0 KB Created: 2009-11-26 14:20:10
MD5: 2261c35cbf9e744bfa5e12a00fead176 SHA-1: 11f03f11e431daaffc2a6e71816694d7f220e483 SHA-256: 9c9a52adb2f930f1593e09bf13f288d015b76205079835ad8d2e207358ddefb6
360 Risk Score

Malware Insights

MITRE ATT&CK
T1547.001 Registry Run Keys / Startup Folder T1059.005 Visual Basic T1059.004 Visual Basic for Applications T1059.001 PowerShell

The file contains Excel 4.0 macros with Auto_Open functionality and VBA macros designed to establish persistence. The VBA script attempts to copy itself to the startup path as 'StartUp.xls' and sets up various application event handlers. The presence of 'RUN=18' and 'risky-formula=21' in the XLM macros indicates the use of dangerous functions, likely for payload execution or download. The ClamAV detections 'Ppt.Malware.Laroux-10036124-0' and 'Xls.Trojan.Escape-1' further confirm its malicious nature.

Heuristics 7

  • Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPEN
    Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • ClamAV: Ppt.Malware.Laroux-10036124-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Ppt.Malware.Laroux-10036124-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
52ec511f1c3b97426e9cd31b85bb763060b4d1d73d0a39aec2ed0448904bff9d		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 28790 bytes
macros.bas
fb2929454da53a7c274256eb0b38ca9476f9f1c61d52f3b7e15bf6ac20b85c3e		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2073 bytes
Detection
ClamAV: Xls.Trojan.Escape-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.