Barisada Office (OLE) / .XLSX malware analysis — malicious · d0a832944bfbd384

MALICIOUS

Office (OLE) / .XLSX

30.0 KB Created: 2001-07-02 13:02:33 Authoring application: Microsoft Excel

MD5: d99c6495a408b69a98608884af7c88cb SHA-1: 78b6db2eb9b9a99971f59e242389678569242976 SHA-256: d0a832944bfbd3848f71c668cf7702347f29bf2cf25ea458d6afc9234b4194c8

140 Risk Score

Malware Insights

Barisada · confidence 85%

MITRE ATT&CK

T1547.001 Registry Run Keys / Startup Folder T1059.005 Visual Basic

The critical ClamAV heuristic firings indicate this file is a variant of the Barisada trojan. The VBA macro code within the workbook attempts to establish persistence by creating a new Excel file named 'khm.xls' in the application's startup directory. This is achieved by concatenating the `Application.StartupPath` with the filename '\khm.xls'. The macro also appears to copy its own code into other components of newly created workbooks.

Heuristics 3

ClamAV: Xls.Trojan.Barisada-8 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.Barisada-8
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `e3740fafed391648d898e35d9ffe0bd84ad3410d073a3d194daa1c6ac2c85912`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7074 bytes
Detection ClamAV: Xls.Trojan.Barisada-7 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.