Office (OLE) / .XLS malware analysis — malicious · 293c03d9cb6fefc9

MALICIOUS

Office (OLE) / .XLS

27.0 KB Created: 2017-02-27 12:04:03 Authoring application: Microsoft Excel First seen: 2022-03-18

MD5: 3651ea1885ffc5e1d71454f172ba307a SHA-1: 4ec18ec62decd34d279113be6e533d16a1f0db66 SHA-256: 293c03d9cb6fefc94f05b10bc4fa27bcd41375921ee7bbfd3f76e476cc3b2e53

200 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file is an Excel spreadsheet containing VBA macros. The presence of AutoOpen, Auto_Open, and Workbook_Open macros indicates an attempt to execute code automatically when the workbook is opened. The ClamAV detection as 'Doc.Downloader.Generic' suggests the macro's purpose is to download and execute a second-stage payload. No specific download URLs or execution commands were extracted from the provided script, limiting further analysis of the payload.

Heuristics 5

ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `90e48f3571fd21b17459aae87ff576ced6855bfdd9e1f0e22c9b78b40d9a085d`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	794 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.