Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 133a073faa83ee22…

MALICIOUS

Office (OLE) / .XLS

537.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel
MD5: d83d1851961c074c55851416ebbb613f SHA-1: 19e6e3ffafb77dd6d3307450b64c7811efdfa9a3 SHA-256: 133a073faa83ee228cce038b46ce0220f4b9c4e9a9c34ee609828ba25caf3735
220 Risk Score

Heuristics 5

  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • ClamAV: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
82e1e47d5ead737b15bb2148da65cf727043b2c8a73a6e4133c451f98570a39a		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3700 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.