Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 15a6453933d1cb03…

MALICIOUS

Office (OLE) / .XLS

537.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel
MD5: 352d86312e5053dcd53aaab164f9aa93 SHA-1: 39fc0b69e5179bbee13da1b0f737f5822c429438 SHA-256: 15a6453933d1cb032d8e8818f378251dd92ae2d7b157090875841eeee3730a93
220 Risk Score

Heuristics 5

  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • ClamAV: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Qbot-b760f03263b7c21b-9950248-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
658441cd825df9b7ed7ef6d0867985a34733bc19b34bf42def3906ad3b19244e		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3709 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.