Office (OLE) / .DOC malware analysis — malicious · 3bfb9a48fd798590

MALICIOUS

Office (OLE) / .DOC

66.0 KB Created: 2020-03-17 13:41:31 Authoring application: Microsoft Excel

MD5: 020cee7464973ddb3ab3f5bfdeb5b61d SHA-1: 4b8aadaa29aa60bddd186c2927e497627bfcfbed SHA-256: 3bfb9a48fd798590a283b14a2abd87025d4ce78cde1c041490317be6d70b2043

200 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.005 Visual Basic T1200 Hardware Add-in T1059.004 PowerShell T1059.001 PowerShell

The file is an Excel 4.0 macro sheet (XLM) that contains a lure to enable editing and content. The presence of ShellExecute and URLDownloadToFile API calls, along with the embedded URLs, indicates that the macro is designed to download and execute a second-stage payload. The ClamAV detection as 'Xls.Dropper.Agent-9231700-0' further supports this assessment.

Heuristics 6

Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
ClamAV: Xls.Dropper.Agent-9231700-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-9231700-0
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://typrer.com/qrpt.exe
- http://typrer.com/qrpt.exe~

Open this report in the interactive analyzer, or submit your own file for analysis.