Office (OLE) / .XLS malware analysis — malicious · 18bf4b5c8afb5236

MALICIOUS

Office (OLE) / .XLS

52.5 KB Created: 2022-10-24 06:47:42 Authoring application: Microsoft Excel First seen: 2022-10-25

MD5: cb35029dadab6b685c2edcb97df1c402 SHA-1: cf48815a5f9694e5a48e1a1cf53935626a2949bd SHA-256: 18bf4b5c8afb52369a5a851d1cab2c314ebc8ed7f78fc06c6dbab3929dd1747f

188 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File T1140 Deobfuscate or Obfuscate Malicious Code

The sample is an Excel file containing VBA macros that leverage the Shell() function to execute a downloaded payload. The script attempts to decode a base64 string which appears to be a URL, likely for downloading the next stage. The ClamAV detection name 'Xls.Downloader.b83ac4c497e169b5-9980307-0' further supports its role as a downloader.

Heuristics 5

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
ClamAV: Xls.Downloader.b83ac4c497e169b5-9980307-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.b83ac4c497e169b5-9980307-0
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `a36982806de1495d90b59e2a7528e8700ac1df7f5be23bce8e67917d1f0e8c2d`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3169 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.