Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 08ef8a427b802d31…

MALICIOUS

Office (OLE) / .XLS

264.5 KB Created: 2021-03-24 14:56:06
MD5: c6f5a451cea2eec78ba74a52cf92d1f4 SHA-1: 3d6386645c8c875804e1e61bce1fcde6b30d16c4 SHA-256: 08ef8a427b802d311c1f3c757c6e4910bc04d45c5997983f6c015bd2cec103f9
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The file contains both Excel 4.0 macros and VBA macros, with critical heuristics indicating the use of URLDownloadToFile API for downloading content. The VBA macro explicitly uses the URLDownloadToFileA function from urlmon.dll, suggesting it is designed to download and execute a second-stage payload. The presence of both macro types and the direct API call strongly indicate a downloader or droppper functionality.

Heuristics 5

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • ClamAV: Win.Malware.Agent-9847212-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Malware.Agent-9847212-0
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
a0713dbcc3a8ee2c4ed8ca1d3b261bb89acb2e48482a4091dbd494083be77692		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 315254 bytes
macros.bas
0a7f96b71eb6b364d6ab651362be56f7c6463b158fd4122fb216689d2d42bfbb		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3141 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.