Office (OLE) / .XLSX malware analysis — malicious · 0537c1589de147f5

MALICIOUS

Office (OLE) / .XLSX

826.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel

MD5: 7ca88eb8b13bc6ac83295cdcab72e6b8 SHA-1: 9f9e836320defaa623777e0d7de3fd002590b516 SHA-256: 0537c1589de147f59e01d94f8d5fbdf086a640be67f8d190462dc41f1408bd58

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, including CreateObject and CallByName functions, which are commonly used for malicious purposes. The macro attempts to write data to 'C:\Users\Public\Documents\load.txt', suggesting it's part of a downloader or dropper mechanism. The heuristic 'SE_ENABLE_LURE' indicates the document likely prompts the user to enable macros, a typical social engineering tactic for malicious Office documents.

Heuristics 6

ClamAV: Xls.Malware.Exvk-9785252-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Exvk-9785252-0
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `431b5eeffb7b3dac7e5f3fa28ab3ad5c6246b2262314050ad4709f6f7eef07c8`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3818 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.