Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 024361c1adbe097b…

MALICIOUS

Office (OLE) / .XLS

139.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel
MD5: 863973df5c9a7a470e1bca5c58d57fea SHA-1: ce636d2f49953d37c60358d8f7af898121b7fb14 SHA-256: 024361c1adbe097b5d58454a74d1061e89f6907f16966b1667353ff516fd2abc
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file is an Excel spreadsheet containing VBA macros, including Auto_Open and Auto_Close routines. Critical heuristics indicate obfuscation of the dangerous API function URLDownloadToFile, suggesting the macro's purpose is to download and execute a second-stage payload. The ClamAV detection name further supports this, identifying it as a downloader.

Heuristics 5

  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • ClamAV: Doc.Downloader.Docusign112100-9908075-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Docusign112100-9908075-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
cb0cc7d6ec879bf271bfcf7b623b6c4f0acb51f4c4e6846e957b8d4968df2677		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 5181 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.