Office (OLE) / .XLS malware analysis — malicious · 19ae193c8698ca45

MALICIOUS

Office (OLE) / .XLS

410.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel

MD5: 92115a5237c7e2414d2df57ca3c8943e SHA-1: f6ade9ee4730ad2b320ea4c19ebbce1db6d1f3b9 SHA-256: 19ae193c8698ca457835e8cae6a4298d73e0ac202daa657933322ac418e9191e

262 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file is an Excel spreadsheet containing VBA macros, including Workbook_Open and Auto_Open routines, which are commonly used to initiate malicious actions upon opening. The macros reference the URLDownloadToFile API, indicating an intent to download and execute a payload from one of the embedded URLs. The ClamAV detection name 'Xls.Malware.Valyria-10029771-0' further supports its malicious nature.

Heuristics 7

Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
ClamAV: Xls.Malware.Valyria-10029771-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Valyria-10029771-0
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://188.165.62.10/
- http://185.82.202.248/
- http://84.246.85.241/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `5a93fdb6f254ca5fb402631b6f65405fa671c41dc19a0d9e83d6d2bc3ec0b2be`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3979 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.