Office (OLE) / .XLSX malware analysis — malicious · b1744a278180e4f7

MALICIOUS

Office (OLE) / .XLSX

193.5 KB Created: 2011-12-12 01:36:43 Authoring application: Microsoft Excel First seen: 2023-02-08

MD5: 3313519e4ce1b634a12185d5bf8b7796 SHA-1: 1d53d3ce5b2bc3e0965c01a51d8f586bbaec9234 SHA-256: b1744a278180e4f7763e16bcf70100c9cc157952144ee3e6618b6e2e6b7dfa30

160 Risk Score

Malware Insights

MITRE ATT&CK

T1547.001 Registry Run Keys / Startup Folder T1547.001 Registry Run Keys / Startup Folder T1547.001 Registry Run Keys / Startup Folder T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros, specifically an Auto_Open subroutine, which is designed to establish persistence by saving itself to the Excel startup folder as 'mypersonnel.xls'. The Auto_Close subroutine attempts to convert the file to an older XLS format and delete the original XLSX. The presence of these macros and the persistence mechanism strongly suggest a malicious intent to maintain a foothold on the system.

Heuristics 4

ClamAV: Xls.Malware.ExcelSic-10004731-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.ExcelSic-10004731-1
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `0e027d7c75d49f79cc7aa4389acfebf7b55f41d2ad86258589318b07847f19ae`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1816 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.