Office (OLE) / .XLS malware analysis — malicious · 0fcb57e654f731d2

MALICIOUS

Office (OLE) / .XLS

77.0 KB Created: 2020-04-28 09:56:52 Authoring application: Microsoft Excel

MD5: 6fdd929eed194da411eae97304f33f11 SHA-1: 19c3702e966705377accd4020b14c97e517432bc SHA-256: 0fcb57e654f731d2c7f000ca7b78a0596cc0938f9fb8da70d8f06e63d8db9c25

280 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The Excel file contains VBA macros that leverage WScript.Shell to execute commands. The `Shell()` function is used, and the script attempts to construct a command by concatenating values from spreadsheet ranges. This strongly suggests the macro is designed to download and execute a secondary payload. The ClamAV detection 'Doc.Dropper.Agent-7724224-0' further supports this dropper functionality.

Heuristics 6

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
ClamAV: Doc.Dropper.Agent-7724224-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-7724224-0
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `0e52df386030db15123bf0a10b07d3b5889c06de589784000d3337c945b28300`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1275 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.