Malicious Office (OLE) / .EXE — malware analysis report

Static analysis result for SHA-256 fda7693dcaba278c…

MALICIOUS

Office (OLE) / .EXE

78.0 KB Created: 1999-01-05 09:51:59 Authoring application: Microsoft PowerPoint
MD5: 1155614f8bf202f9ed168c829f239866 SHA-1: 882571eae7af1767f4ea0ca8080bc105f6466c95 SHA-256: fda7693dcaba278c2f2625ea82bada83379cf33f7b46ad7b8d14148dd6688f22
180 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file is identified as malicious by ClamAV with the signature Xls.Trojan.Laroux-1. Static analysis detected a VBA macro, specifically an Auto_Open macro, which is a common technique for executing malicious code automatically when the document is opened. The macro source is 1900 bytes, indicating a non-trivial script. The document body is heavily corrupted and unreadable, providing no contextual clues about the lure. The primary IOC is the ClamAV detection name.

Heuristics 4

  • ClamAV: Xls.Trojan.Laroux-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Laroux-1
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c64ca112af2bc1f48d25c1ac9cfd5e5c937b982c9c46373518aae1d391d695d8		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1900 bytes
Detection
ClamAV: Xls.Trojan.Laroux-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.