Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 02cbc1ab80695fc1…

MALICIOUS

Office (OLE) / .XLS

83.0 KB Created: 2020-10-25 18:24:14 Authoring application: Microsoft Excel
MD5: a8724d5484779a28ad2ef10bfdcbd46f SHA-1: 4888503cc056d3e279c0cac8e1fbafad76973212 SHA-256: 02cbc1ab80695fc12ff8822b926957c3a600247b9ca412a137f69cb5716c8781
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file contains both VBA and Excel 4.0 macros, with the latter being the primary execution vector. The XLM macro constructs a command to download 'az.exe' from 'https://tinyurl.com/y3y4ay4y' using PowerShell and then executes it. This indicates a downloader functionality, likely leading to further malicious activity.

Heuristics 4

  • ClamAV: Xls.Malware.Abracadabra-10031695-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Abracadabra-10031695-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
9f45bf905d18288a0250d49f937d11d03084ec127a2daa069d1a8d3b5999f4d8		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 1401 bytes
macros.bas
36acc45cdf6c0ac3dfd3174b6767372d197266a7f75be84ea70a25ae94fea42b		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 935 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.