Office (OLE) / .XLS malware analysis — malicious · 34ac27459b6ee01f

MALICIOUS

Office (OLE) / .XLS

52.0 KB Created: 2022-10-06 08:24:44 Authoring application: Microsoft Excel First seen: 2022-10-06

MD5: fb6771955df4260b7d854dfc31231fba SHA-1: fc27ac098512bd3de679501183ba9bfc1ac80ce9 SHA-256: 34ac27459b6ee01fe98d574cfca00c32182a52cd02bdb457f0113b1978d84893

188 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1105 Ingress Tool Transfer

The file contains VBA macros that utilize the Shell() function to execute commands and CreateObject to interact with the system. The macro attempts to download a payload from the obfuscated URL '3uAr7l;hLt21tKOp3s0:/12Q/Ss7Nim3SipiOO8mi.20cDOoVm5'. This indicates a downloader functionality, aiming to fetch and execute further malicious content.

Heuristics 5

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
ClamAV: Xls.Downloader.b83ac4c497e169b5-9980307-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.b83ac4c497e169b5-9980307-0
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `923e80110eaaf8988488643d1b3137e7f8ec4522c327f1e2aee8f922c07d8719`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3400 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.