Office (OLE) / .XLS malware analysis — malicious · 29ab6f3130ce6d68

MALICIOUS

Office (OLE) / .XLS

133.5 KB Created: 2020-11-20 17:59:00 Authoring application: Microsoft Excel

MD5: ed395b59845cb441a3db8be4d4e04000 SHA-1: 36e5cf0756be9a410a30246e2678cfe8b5c18e8f SHA-256: 29ab6f3130ce6d68adcaa409dcf5b11c7e9253257b25de86710f7385df7401d9

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 PowerShell T1059.001 PowerShell T1204.002 Malicious File T1027 Obfuscated Files or Information

The file contains both VBA and Excel 4.0 macros, with the latter being triggered by the Auto_Open event. The XLM macro at Macro!D128 constructs and executes a PowerShell command that downloads a file named 'gl.exe' from 'https://cutt.ly/AhIRZR5' using .NET WebClient. The subsequent XLM macro at Macro!D129 moves the downloaded file to the temporary directory. The VBA macro appears to prepare the environment for the XLM macro execution. This indicates a downloader functionality.

Heuristics 4

ClamAV: Xls.Malware.Abracadabra-10031695-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Abracadabra-10031695-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `87904d1bec71ff555ccd2ac96eaae72dd3bf39265e25e8c3542e2f80cfdaf24b`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	1781 bytes
`macros.bas` `cd570610748f1d9f3b3da8aecc12295e1dff4beebd51624b3e1fafca26bf9c59`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.