Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 0e87250ee492e438…

MALICIOUS

Office (OLE) / .XLS

73.0 KB Created: 2022-12-20 09:55:23 Authoring application: Microsoft Excel First seen: 2022-12-20
MD5: 33d611d38b722959554bbcf2b7354fb0 SHA-1: 3b0daa6eddf678d334d887961dee85eb90079376 SHA-256: 0e87250ee492e4380e288ef7f8f7a66d5b764578bbbe74eaff738a81045d5e38
288 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell

The file is an Excel spreadsheet containing VBA macros. Critical heuristics indicate the use of WScript.Shell and Shell() calls, suggesting the execution of arbitrary commands. The script attempts to decode a Base64 string, which is likely a payload or a URL to download one. The presence of WScript.Shell and Shell() calls strongly indicates a downloader or dropper functionality.

Heuristics 7

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • ClamAV: Xls.Downloader.b83ac4c497e169b5-9980307-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.b83ac4c497e169b5-9980307-0
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
3971fec43fd9256fef3de7cc73deab87b5f2252ca1607f7982a8a0a8340c79a7		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 4879 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.