Malicious Office (OLE) / .EXE — malware analysis report

Static analysis result for SHA-256 ceaade781e86e3ac…

MALICIOUS

Office (OLE) / .EXE

277.5 KB Created: 1999-02-08 09:24:15 Authoring application: Microsoft Excel
MD5: c71b05c61a45b5c69087d58bd93c02bf SHA-1: 1cdedf8e231060d01b631ec5831ae459cf3e6c30 SHA-256: ceaade781e86e3accdcdf764a66da594e1e0652b8a711440d5865c8dc62b9e20
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1566.001 Spearphishing Attachment

The critical ClamAV detection of 'Xls.Trojan.Laroux-32' strongly indicates malicious intent. The presence of an Auto_Open VBA macro, a common technique for initial execution in macro-enabled documents, further supports this. The document body content is minimal and does not provide further clues, but the combination of macro execution and a known trojan signature points to a malware delivery mechanism.

Heuristics 4

  • ClamAV: Xls.Trojan.Laroux-32 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Laroux-32
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
286c10f1c8e48ced052c6b0fac0ae893bb145f1a9f74ec5a6b050f8ac77b6f27		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1892 bytes
Detection
ClamAV: Xls.Trojan.Laroux-32
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.