Office (OLE) / .XLS malware analysis — malicious · 03d09bfd57e767cf

MALICIOUS

Office (OLE) / .XLS

987.5 KB Created: 2023-05-28 21:48:22 Authoring application: Microsoft Excel First seen: 2023-05-30

MD5: 7cd6ff5343536a27080cf3125f1174ce SHA-1: da0d9a92c6a097e5b70fb9e8d680c212321ffa2a SHA-256: 03d09bfd57e767cf1f87a74717297de4a48ed8ceec42ef6f77d1968dd9fc2df2

168 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.005 Visual Basic T1204.002 Malicious File

The critical ClamAV detection and high-severity heuristics for Workbook_Open and Auto_Open macros indicate malicious intent. The VBA macro attempts to execute a file named 'ST.inf' from the user's temporary directory using the LaunchINFSectionW API, a common technique for executing arbitrary code. The macro's obfuscated nature and reliance on an external DLL (ADvpaCk.DlL) suggest it's a downloader for a second-stage payload.

Heuristics 5

ClamAV: Xls.Malware.Sdrop-10003549-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Sdrop-10003549-0
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `e903fc4d97971abb04f4fc8812ea583505f0f84a4fddb4ad5255b8c87a7ab140`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	224488 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.