Xls.Trojan.Escape Office (OLE) / .XLS malware analysis — malicious · a4aa1e7e8870ceca

MALICIOUS

Office (OLE) / .XLS

18.0 KB Created: 1996-10-14 23:33:28 Authoring application: Microsoft Excel

MD5: 7f5c21408279446ddfdc1d547584c7e4 SHA-1: be63b07a3d975fcc0805c423a19992c023a9f29b SHA-256: a4aa1e7e8870cecab3ac0439a088a116e472ce05fb127b80766bb0256d1f2a78

180 Risk Score

Malware Insights

Xls.Trojan.Escape · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Xls.Trojan.Escape-2. It contains VBA macros, specifically an Auto_Open macro, which is a common technique for executing malicious code upon opening the document. The presence of an Auto_Open macro strongly suggests the intent to automatically run a payload, likely for further system compromise.

Heuristics 4

ClamAV: Xls.Trojan.Escape-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.Escape-2
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `b1dc6e799f600e1fe03c12ee5c927d9c20e72385747b65f9e697c96da1cbf849`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1767 bytes
Detection ClamAV: Xls.Trojan.Escape-1 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.