Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 f4e6ed1efca638f3…

MALICIOUS

Office (OLE) / .XLS

15.0 KB Created: 2010-05-09 23:28:11 Authoring application: Microsoft Excel
MD5: 5a81028161021cde4c6ad01f38c277c0 SHA-1: bc00dc6b6a21c9fecbd2b7a7a895ecb5041ef16e SHA-256: f4e6ed1efca638f3bbdafa965fb78791f76902f6f0b6745e7eb87da65b2029be
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical ClamAV detections indicate this Excel file is malicious, specifically identified as Xls.Trojan.Escape. The presence of a high-severity Auto_Open macro suggests that malicious VBA code is executed automatically upon opening the spreadsheet. No document body or script content was provided for further analysis of the payload or specific execution details.

Heuristics 4

  • ClamAV: Xls.Trojan.Escape-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Escape-2
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
df0db2b736b6c198afb0d1338be15f877e7b5ce9ad88e18698ac06d145dfcb65		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1988 bytes
Detection
ClamAV: Xls.Trojan.Escape-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.