Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 f9a9d8e2b1d4d8fc…

MALICIOUS

Office (OLE) / .XLSX

171.5 KB Created: 2019-06-03 07:04:22 Authoring application: Microsoft Excel First seen: 2023-02-06
MD5: c07e5a35f4db4b0b6a22ca3a99b94656 SHA-1: 3d97eac81ab41376fd3033d2db226db4a0f47c7c SHA-256: f9a9d8e2b1d4d8fcd02e5a08ec17f20c9a046f28a8196faad21fc10f94072905
160 Risk Score

Malware Insights

MITRE ATT&CK
T1547.001 Registry Run Keys / Startup Folder T1547.001 Registry Run Keys / Startup Folder T1059.005 Visual Basic

The file contains VBA macros, including Auto_Open and Auto_Close functions, which are indicative of malicious intent. The Auto_Open macro attempts to establish persistence by saving a copy of the workbook to the Excel startup folder as 'mypersonnel.xls'. The Auto_Close macro attempts to convert the file to an older .xls format and delete the original .xlsx file. The document body appears to be financial or shipping data, likely used as a lure.

Heuristics 4

  • ClamAV: Xls.Malware.ExcelSic-10004731-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.ExcelSic-10004731-1
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
d49b3eed57ea333340314eacd5bf3454f6a2ba3085f3bfa723034dd1a2d97cfb		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1510 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.