Office (OLE) / .XLS malware analysis — malicious · 2ecb091b73a66aec

MALICIOUS

Office (OLE) / .XLS

71.0 KB Created: 2022-11-29 07:16:03 First seen: 2022-12-02

MD5: e49770634c3a7bc6457dc16d6d618584 SHA-1: 6dc6af667e54b8031eb68752e471bb8e1ace201b SHA-256: 2ecb091b73a66aec52d72d793665f7430336fc0ccef2cb512c40303e80c8adb9

188 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1105 Ingress Tool Transfer

The file contains VBA macros that utilize the Shell() and CreateObject() functions, indicative of malicious activity. The script attempts to download content from a URL using MSXML2.XMLHTTP and then likely executes it. The ClamAV detection name 'Xls.Downloader.b83ac4c497e169b5-9980307-0' further supports its role as a downloader.

Heuristics 5

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
ClamAV: Xls.Downloader.b83ac4c497e169b5-9980307-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.b83ac4c497e169b5-9980307-0
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `eb48ca61505819a4d99cc693d2dd3c25fbe1407842f37a3b8b364fd8c22ae10c`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5069 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.