Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 2acdd04554feb1ef…

MALICIOUS

Office (OLE) / .XLS

68.5 KB Created: 2021-08-17 12:24:08 Authoring application: Microsoft Excel
MD5: bb6169cac9a125cd63eedeb3893b920b SHA-1: 849cf017216ecc77a9ad2aa773ccbf976755c9dc SHA-256: 2acdd04554feb1ef8b0307d5fb2c1bf7fd6a8e1157f9d3753119e64b30c16c30
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file is a malicious Excel spreadsheet containing an Auto_Open VBA macro. This macro utilizes the ScriptControl object to execute code embedded within Sheet1, specifically in cells A1 and A2. The script is designed to download and execute a second-stage payload, as indicated by the ClamAV detection name 'Xls.Downloader.MirrorBlast'. The exact download URL and payload are not directly visible in the provided script but are dynamically loaded from worksheet cells.

Heuristics 3

  • ClamAV: Xls.Downloader.MirrorBlast-f8f807074fc98734-9955046-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.MirrorBlast-f8f807074fc98734-9955046-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
115fb15e1f09390bb535bdb73f887790f06175481500c49ad54849a3ec91759e		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1145 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.