Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 10547fbcab56e5ee…

MALICIOUS

Office (OLE) / .XLS

841.5 KB Created: 2019-08-30 09:14:50 Authoring application: Microsoft Excel
MD5: da66e0f3ba923c8fa8ee45e1629b31dd SHA-1: 6fb7289189ed83eb95cc97a0a9f595d0dd31eb1f SHA-256: 10547fbcab56e5eeced75b4db50aac92a2eafe3581ad35018e27ea840b6abcb6
482 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1105 Ingress Tool Transfer

This Excel file contains both VBA and Excel 4.0 macros, with critical heuristics indicating the execution of a Shell() command and the presence of an embedded PE executable. The VBA macro is configured to launch the decoded Excel 4.0 macro, which then likely executes the embedded PE file. This pattern is typical of a dropper designed to download and execute a second-stage payload.

Heuristics 12

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER
    The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.
  • ClamAV: Xls.Dropper.Agent-7632263-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7632263-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.microsoft.com0
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
    • http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0Z
    • http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
7a873772d22b84fb2e5c87cf1d887efea4fb26f51677f76f009c36a3c9fabed9		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 723 bytes
macros.bas
d8224e34aa6b2be1e9e8b461911e1ce2a352dd727644fc7595f4160c2052abe3		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 14356 bytes
embedded_office_00004545.exe
ce716e0b46b42795c11fac072a4facecd8f93df6539b5cba3b05e3c8de71cfdf		 embedded-pe Office MZ+PE at offset 0x4545 843963 bytes
Detection
ClamAV: Win.Dropper.Hideproc-6663113-0
Obfuscation or payload: unlikely
ole10native_00.bin
454a18f09e3739ecf600df8c1b4b3f7d036467abc051ac1526a127cdcf7aae34		 ole-package OLE Ole10Native stream: MBD0013E449/Ole10Native 607001 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.