Office (OLE) / .XLS malware analysis — malicious · 374b9d2287355b2b

MALICIOUS

Office (OLE) / .XLS

204.5 KB Created: 2020-11-11 23:14:37

MD5: 973269fc46476f001c6707c1cd2409e2 SHA-1: bc4d58641ae9344a94c2b05cecd2429ea8a669f5 SHA-256: 374b9d2287355b2bce9eafdbb30745c48ebd5debcb37ec4e87c91957c2195e68

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1105 Ingress Tool Transfer

The critical heuristics indicate the presence of VBA macros, specifically a Workbook_Open macro that utilizes the Shell() function and URLDownloadToFile. This strongly suggests the macro is designed to download and execute a second-stage payload from an external source. The extracted artifact 'macros.bas' further confirms the VBA macro content. Given the direct evidence of payload downloading and execution via VBA, the confidence is high.

Heuristics 5

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `c344d7dcff73c5bbd0326683fcbc01f9ac02810e5fede2b871d543a737df909b`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3426 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.