Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 414b0237b94436fe…

MALICIOUS

Office (OLE) / .XLS

416.5 KB Created: 2020-11-27 01:38:46 Authoring application: Microsoft Excel First seen: 2022-04-26
MD5: 94bc695f0b903ed4b0d604042aa9a5f3 SHA-1: 91c90600b5dd996a9de508dadf1e5745b9fde7f1 SHA-256: 414b0237b94436fe3769b6d5c5bfccb651e406289bf5210ce3dfec52f8561dfc
162 Risk Score

Malware Insights

MITRE ATT&CK
T1547.001 Registry Run Keys / Startup Folder T1059.005 Visual Basic

This XLS file contains VBA macros, including Auto_Open and Auto_Close functions, indicating malicious intent. The Auto_Open macro attempts to save a copy of the workbook to the Excel startup folder as 'mypersonnel.xls', likely to achieve persistence. The Auto_Close macro attempts to save the workbook in an older XLS format and delete the XLSX version, potentially to evade detection or ensure a specific file format. The embedded URLs are related to real estate listings, suggesting a lure for users to open the malicious document.

Heuristics 5

  • ClamAV: Xls.Malware.ExcelSic-10004731-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.ExcelSic-10004731-1
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://sosanhnha.com/dat-mat-tien-tinh-lo-830-huyen-ben-luc-289m-clar4ZBYqhttps://sosanhnha.com/341m2-tho-cu-mat-tien-824-830-xa-an-thanh-ben-luc-cla9G3Q5Phttps://sosanhnha.com/can-ban-dat-mat-tien-dt-824-xa-luong-binh-ben-luc-cla5xqPjKhttps://batdongsan.com.vn/ban-dat-duong-tinh-lo-830-xa-an-thanh-3/b-mat-tien-tl-830-ben-luc-long-dt-447m2-full-tho-cu-shr-k-trh-chap-lh-0902878604-pr31142189https://sosanhnha.com/dat-mat-tien-tinh-lo-824-long-an-cla7AA2Pb#group=bds_sosanhnha&photo=7
    • https://alonhadat.com.vn/-hang-ngop-mua-dich-mat-tien-tl830--9332115.htmlhttps://nha.chotot.com/mua-ban-dat-huyen-ben-luc-long-an/91852988.htmhttp://sosanhnha.com/ben-luc-long-an-580m2-8-3x70m-clalpz84khttps://nha.chotot.com/mua-ban-dat-huyen-ben-luc-long-an/90885881.htm
    • https://sosanhnha.com/dat-mat-tien-duong-tinh-lo-824-ben-luc-claVdWg53#group=bds_sosanhnha&photo=1https://nha.chotot.com/mua-ban-dat-huyen-ben-luc-long-an/91990619.htm
    • https://sosanhnha.com/dat-mat-tien-tinh-lo-830-huyen-ben-luc-289m-clar4ZBYqO
    • https://sosanhnha.com/341m2-tho-cu-mat-tien-824-830-xa-an-thanh-ben-luc-cla9G3Q5P$
    • https://batdongsan.com.vn/ban-dat-duong-tinh-lo-830-xa-an-thanh-3/b-mat-tien-tl-830-ben-luc-long-dt-447m2-full-tho-cu-shr-k-trh-chap-lh-0902878604-pr31142189I
    • https://alonhadat.com.vn/-hang-ngop-mua-dich-mat-tien-tl830--9332115.html\
    • https://sosanhnha.com/dat-mat-tien-tinh-lo-824-long-an-cla7AA2Pb#group=bds_sosanhnha&photo=7b
    • https://sosanhnha.com/dat-mat-tien-duong-tinh-lo-824-ben-luc-claVdWg53#group=bds_sosanhnha&photo=1Q
    • https://sosanhnha.com/can-ban-dat-mat-tien-dt-824-xa-luong-binh-ben-luc-cla5xqPjKE
    • http://sosanhnha.com/ben-luc-long-an-580m2-8-3x70m-clalpz84k
    • https://nha.chotot.com/mua-ban-dat-huyen-ben-luc-long-an/91990619.htmE
    • https://nha.chotot.com/mua-ban-dat-huyen-ben-luc-long-an/91852988.htmE
    • https://nha.chotot.com/mua-ban-dat-huyen-ben-luc-long-an/90885881.htm

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
0e027d7c75d49f79cc7aa4389acfebf7b55f41d2ad86258589318b07847f19ae		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1816 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.