Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 1fd41236332fa7ce…

MALICIOUS

Office (OLE) / .XLSX

64.5 KB Created: 2021-08-17 12:24:08 Authoring application: Microsoft Excel
MD5: b448595bd43ef1c96c826584b2593cf8 SHA-1: 23f371be27f04122040cbeb1c58b98dfd84de342 SHA-256: 1fd41236332fa7ce30f1fded2ffab486ae713519af7ca0ef23a7077c6e09d973
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell

The sample is an Excel file with a detected Auto_Open VBA macro. The macro utilizes the ScriptControl object and executes code embedded within the document's 'Subject' and 'Comments' properties. This technique is commonly used to download and execute further malicious payloads. The ClamAV detection name 'Xls.Downloader.MirrorBlast' also suggests a downloader functionality.

Heuristics 3

  • ClamAV: Xls.Downloader.MirrorBlast-f8f807074fc98734-9955046-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.MirrorBlast-f8f807074fc98734-9955046-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
0278d22c57457c6ea65486c5e13f4b06bae683e9ef9fa360c905d1932da96848		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 862 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.