Malicious Office (OLE) / .EXE — malware analysis report

Static analysis result for SHA-256 a47c2bd2e813e19a…

MALICIOUS

Office (OLE) / .EXE

33.5 KB Authoring application: Microsoft Excel
MD5: f8cd72453f1e8e298e53aa83d5d1e1b7 SHA-1: 30c944c672bb5349fd240cfd3962c851c2febf9b SHA-256: a47c2bd2e813e19a211c96299b8f893a2c71899ddae51cc77dea34ec35f43461
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as a malicious Excel document by ClamAV with the signature Xls.Trojan.PTH-2. It contains a significant amount of VBA macro code, including an Auto_Open macro, which is a common technique for executing malicious payloads upon opening the document. The macro's purpose is to download and execute a second-stage payload.

Heuristics 4

  • ClamAV: Xls.Trojan.PTH-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.PTH-2
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
5f0f4be16aa80bc0e04a40353037e2b7eb041e077c1f95084841afba8d8a5aa8		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 18890 bytes
Detection
ClamAV: Xls.Trojan.PTH-2
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.