Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 057e9473b97f15ef…

MALICIOUS

Office (OLE) / .XLS

55.0 KB Created: 2022-08-17 08:20:03 Authoring application: Microsoft Excel First seen: 2022-08-17
MD5: 4e52c38e4a7aa11b53b1432f66383a5f SHA-1: c0f1b49d796f68f5367135be25c284afbb2bc1fc SHA-256: 057e9473b97f15efb11647bcd6794922de3c68dbe53698fab481a2a7fff5bbc2
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The file is an Excel spreadsheet containing VBA macros. Critical heuristics indicate that the macros download and execute a file from an HTTP URL. The script attempts to obfuscate the URL by concatenating strings, but analysis reveals the target URL to be 'http://37ms82nt10wg:90im/113o1iPs11nrs1W_e112c'. This functionality strongly suggests a downloader malware.

Heuristics 5

  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
  • ClamAV: Xls.Downloader.b83ac4c497e169b5-9980307-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.b83ac4c497e169b5-9980307-0
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
84ba7baa7017cf563ba319e34284445373bc6583e1f2dc79d990db4c4c8cd678		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3992 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.