Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 0a25ede48d6378cc…

MALICIOUS

Office (OLE) / .XLS

1.04 MB Created: 2019-08-30 09:14:50 Authoring application: Microsoft Excel
MD5: f40b972bbbab58127fa00488ca5631f2 SHA-1: 981ac2ac8fc2ac32d7a0ebe5942be62a5a2b9aaa SHA-256: 0a25ede48d6378ccf0c1153fdcceffeb53baaed9f46e783246432198748c5853
500 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information T1027 Obfuscated Files or Information T1204.002 Malicious File

This XLS file contains VBA macros that leverage `Shell()` and `CreateObject()` to execute embedded code. The critical heuristic 'OLE_EMBEDDED_EXE' indicates a PE executable is embedded, and 'OLE_VBA_ACTIVEX_XLM_STAGER' suggests a mechanism to launch it. The VBA script likely decodes and executes this embedded payload, which is a common dropper technique. The presence of `VirtualAlloc`, `LoadLibrary`, and `GetProcAddress` API calls further supports the execution of a malicious payload.

Heuristics 11

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER
    The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.
  • ClamAV: Xls.Dropper.Agent-7649571-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7649571-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
efc9d116cbaa088d9b7728c5c9c2cf4bf2a2f46968d6490a1f2dc68029eeb024		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 21402 bytes
embedded_office_000049db.exe
d7bb302c687579ad12a5ad30ae71186a8c2f51795642e67595a8cedb443b2485		 embedded-pe Office MZ+PE at offset 0x49DB 1071653 bytes
Detection
ClamAV: Win.Trojan.Razy-7331387-0
Obfuscation or payload: unlikely
ole10native_00.bin
8ae8b82fb2de28986b2bfbdcdaa483ee6f72a0e7d31e9c6e9d9ffa934b607d3d		 ole-package OLE Ole10Native stream: MBD02B7D871/Ole10Native 559679 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.