Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 0439d87132de07d2…

MALICIOUS

Office (OLE) / .XLS

75.0 KB Created: 2020-10-25 18:24:14 Authoring application: Microsoft Excel
MD5: 36159c853479e0745cec687aff88eb8a SHA-1: d2e08dfd4546c466b8e90ef2e400ef8ba71ebb0c SHA-256: 0439d87132de07d22d108556533c733d6b74a11158d2388e696bd7fb461b54de
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file contains both VBA and Excel 4.0 macros, with the latter being particularly concerning due to its ability to execute commands. The XLM macro constructs a PowerShell command to download a file named 'wq.exe' from 'https://cutt.ly/WgV1bTC' and then executes it after moving it to the user's AppData directory. The Auto_Open macro in VBA is designed to trigger the XLM macro, indicating a clear intent to download and run a secondary payload.

Heuristics 4

  • ClamAV: Xls.Malware.Abracadabra-10031695-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Abracadabra-10031695-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
bc49e228e0c421e8a87dff17ba6101db9ebc7291d37cd901389b06f991079a3d		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 1259 bytes
macros.bas
fee65a11429dc10585813f204465c30b1b3c2131639dcde641611baba3f7538f		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 830 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.