Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 2c2dda4f1a8810d8…

MALICIOUS

Office (OLE) / .XLS

64.5 KB Created: 2021-08-17 12:24:08 Authoring application: Microsoft Excel
MD5: 184947994777bb8fc0922ee42b59a854 SHA-1: 728d08226231cdd2db5cd033544a9d94ab579e2e SHA-256: 2c2dda4f1a8810d8a774f0fb5e0e33b6ed4a3172601f457f37b5e4eacc6c4c27
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an Excel file containing an Auto_Open VBA macro. This macro utilizes a ScriptControl object to execute JavaScript code embedded within the document's 'Comments' property. The ClamAV detection name 'Xls.Downloader.MirrorBlast' strongly suggests this macro is designed to download and execute a secondary payload. The VBA code dynamically sets the script language based on the document's 'Subject' property, which is unusual but does not alter the core downloader functionality.

Heuristics 3

  • ClamAV: Xls.Downloader.MirrorBlast-f8f807074fc98734-9955046-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.MirrorBlast-f8f807074fc98734-9955046-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
0278d22c57457c6ea65486c5e13f4b06bae683e9ef9fa360c905d1932da96848		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 862 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.