Office (OLE) / .XLS malware analysis — malicious · 23fb0fb0af0ddbd1

MALICIOUS

Office (OLE) / .XLS

73.5 KB Created: 2022-12-20 09:49:16 First seen: 2022-12-20

MD5: 99e31825360688320481d49c68bf09ef SHA-1: cacaa19a86b174b6ca0e4e1e19df87c246117af3 SHA-256: 23fb0fb0af0ddbd12b5f0cde18d66473ee9e3d70eb0dae3f8f2edc1fd89f068b

288 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The file is an XLS document containing VBA macros that utilize WScript.Shell and CreateObject to execute shell commands. The ClamAV detection name 'Xls.Downloader.b83ac4c497e169b5-9980307-0' strongly suggests a downloader functionality. The Base64 decoding routine within the macro indicates that it is likely deobfuscating and executing a malicious payload.

Heuristics 7

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
ClamAV: Xls.Downloader.b83ac4c497e169b5-9980307-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.b83ac4c497e169b5-9980307-0
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `fb2ae5da213ad2a3d9d56dd0a90b09b4f3ea30b411d30b45df107c97030719c2`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4879 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.