Office (OLE) malware analysis — malicious · e891526c96ae60e4

MALICIOUS

Office (OLE)

60.0 KB Created: 2006-02-08 01:17:42 Authoring application: Microsoft Excel

MD5: 18d7f4bd4c978eb48c5ca33c82f96bac SHA-1: ce140d0945f573bb35d557afaef6366654576e54 SHA-256: e891526c96ae60e46604478718058be06ca32d063db89f958bba726195ab90f3

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.003 Windows Command Shell T1059.001 PowerShell

The file is detected as malicious by ClamAV with the signature Xls.Trojan.Divi-2. A critical heuristic indicates a 'Clipboard command execution lure', suggesting the document instructs the user to copy and paste content into a shell. This points to an attack pattern where the user is tricked into executing commands. No VBA macros were explicitly detailed, but their presence is noted.

Heuristics 5

ClamAV: Xls.Trojan.Divi-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.Divi-2
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE

Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `071f3a0b784024ef35792a253057501062227a92e573f88f3726df2be4c03d1f`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5550 bytes
Detection ClamAV: Xls.Trojan.Divi-2 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.