Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 2d8bd8eb56bff74b…

MALICIOUS

Office (OLE) / .XLS

52.5 KB Created: 2022-10-24 06:47:42 Authoring application: Microsoft Excel First seen: 2022-10-24
MD5: 19f1aea052fda7de443b7f287083c70d SHA-1: 3cbeeaf191272c635bb1aa9c6ac9d6c6cc0c10db SHA-256: 2d8bd8eb56bff74bac7927a865cfa25d9f6a0113e347c4fc647c7862640f31c9
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File T1140 Deobfuscate/Decode Files or Information

The sample is an Excel file containing VBA macros. The macros utilize `Shell()` and `CreateObject()` functions, indicating an attempt to execute external code. The script attempts to decode a Base64 string and write it to a file, likely a second-stage payload. The reconstructed URL 'Mh9tV1t549p0sE:W/24/fPor45tihE3oo20k.cD77o6mH' is suspicious and likely used for downloading the payload.

Heuristics 5

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • ClamAV: Xls.Downloader.b83ac4c497e169b5-9980307-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.b83ac4c497e169b5-9980307-0
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a36982806de1495d90b59e2a7528e8700ac1df7f5be23bce8e67917d1f0e8c2d		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3169 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.