Office (OLE) / .XLS malware analysis — malicious · 19042ea0e61783a3

MALICIOUS

Office (OLE) / .XLS

62.5 KB Created: 2020-05-04 07:48:11 Authoring application: Microsoft Excel

MD5: 123d621f757010126f0563eae0d2d8d3 SHA-1: 39d814116ac3e0b36527dcb202f53d819f1614da SHA-256: 19042ea0e61783a3c281e3f02e0e2e2b07e9421bae0afeeae21febe450510f0c

280 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is an Excel file containing VBA macros. The macro uses `WScript.Shell` and `CreateObject` to execute a command. The `more` subroutine, called by `back`, constructs and runs a command using `WScript.Shell.Run`. The specific command executed is `WScript.Quit = """""""" & CreateObject ("WScript.Shell").Run(k, 0, 0)`, which is designed to download and execute a second-stage payload. The ClamAV detection name 'Xls.Dropper.Agent-7759977-0' further supports its nature as a dropper.

Heuristics 6

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
ClamAV: Xls.Dropper.Agent-7759977-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-7759977-0
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `afee68aba5b0c8fd334b28a3c823e20205b61e3a8a8c5396e0288baab6822680`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1268 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.