Office (OLE) / .XLS malware analysis — malicious · 0a8b0b423e864ae0

MALICIOUS

Office (OLE) / .XLS

129.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel

MD5: 1f4a448f535f2a3657dfef39beb4a662 SHA-1: 3469b525c73b66fab130abceb11f23eb53723b88 SHA-256: 0a8b0b423e864ae0c19cbe56b135d804b91516bb9b633d889c315c757bfd3930

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file is an Excel spreadsheet containing VBA macros, including Auto_Open and Auto_Close, which are commonly used to initiate malicious actions upon opening or closing the document. The presence of the URLDownloadToFile API call and embedded URLs strongly suggests that the macros are designed to download and execute a second-stage payload from the listed IP addresses. The ClamAV signature also indicates a downloader functionality.

Heuristics 6

Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
ClamAV: Doc.Downloader.Docusign112100-9908075-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Docusign112100-9908075-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://190.14.37.165/
- http://5.196.247.11/
- http://188.119.113.3/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `fde66e20711a7f15978b94a5a866f07b9d20ea1d8f560b84fb649e896abaaf38`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4585 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.