Valyria — Office (OLE) / .XLS malware analysis

Static analysis result for SHA-256 02521f0bb91b4c74…

MALICIOUS

Office (OLE) / .XLS

55.0 KB Created: 2021-04-19 11:28:26
MD5: 875633e78cc91862b5189e69bd0364c1 SHA-1: b6fe87e8761e59bd835afd8fa6054070a49f7209 SHA-256: 02521f0bb91b4c74d1590b85254f26f0d258cd780393010593ae6daaa5993753
220 Risk Score

Malware Insights

Valyria · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The file is identified as malicious by ClamAV with the signature Xls.Downloader.Valyria-10002374-0. Static analysis revealed the presence of both Excel 4.0 macros and VBA macros. Crucially, the VBA code utilizes the URLDownloadToFile API, indicating an intent to download and execute a second-stage payload from a remote source. This is a common technique for malware droppers.

Heuristics 5

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • ClamAV: Xls.Downloader.Valyria-10002374-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Valyria-10002374-0
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
d2f61acc8da6d5f684bd642035981ac99a963407468e4f8678a582ad2aaf5240		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 674 bytes
macros.bas
d27ab60a9af151d1ec4686f739a53580dd200d347b0e6f5bc9ce250d9508fb0e		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2888 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.