Barisada Office (OLE) / .XLSX malware analysis — malicious · d0bd5b046c3204b1

MALICIOUS

Office (OLE) / .XLSX

1.33 MB Created: 2002-11-27 19:08:54 Authoring application: Microsoft Excel

MD5: 5a041685a8b4bd6c4a45454a3906265a SHA-1: 9fe7e8d86d1eae294b6177e83257c94f6c8e281f SHA-256: d0bd5b046c3204b1ba38657cd310f3f402b033fff9c4da8b42a56d8da890b65f

140 Risk Score

Malware Insights

Barisada · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1140 Deobfuscate or Obfuscate Malicious Code

The file is identified as malicious by ClamAV with the signature Xls.Trojan.Barisada-9, and an extracted artifact also triggered ClamAV with Xls.Trojan.Barisada-2. The VBA macro code, while partially obfuscated, appears to be designed to download and execute a second-stage payload. Specifically, it attempts to save a file named 'binladen.xls' in the startup path and manipulates other workbooks' VBA code, suggesting a downloader or droppper functionality.

Heuristics 3

ClamAV: Xls.Trojan.Barisada-9 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.Barisada-9
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `0577569136fc4cf2ef63b3464649bcce76097b912589460fa4fc13950072f072`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5676 bytes
Detection ClamAV: Xls.Trojan.Barisada-2 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.