Remcos Office (OOXML) / .XLSM malware analysis — malicious · 41c5f1255cce4354

MALICIOUS

Office (OOXML) / .XLSM

95.8 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 16.0300

MD5: fea8fccb24fde88471634fa9e0188c98 SHA-1: dc11afd4b277f7c9f5efe3ad25f0fe3b450870d7 SHA-256: 41c5f1255cce4354260808461f21f81be011b7114a1782e60a28c3092e73f8af

160 Risk Score

Malware Insights

Remcos · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1218.011 Signed Binary Proxy Execution: Rundll32

The file is an XLSM document containing VBA macros, as indicated by the OOXML_VBA heuristic. The ClamAV detection explicitly identifies it as 'Xls.Downloader.Remcos'. The VBA script utilizes GetObject and CallByName functions, which are often used to execute arbitrary code or interact with the system. Specifically, the script appears to construct commands involving 'ShellExecute' and potentially downloads a second-stage payload, as suggested by the downloader family attribution. The confidence is high due to the explicit ClamAV detection and the presence of known malicious VBA patterns.

Heuristics 4

ClamAV: Xls.Downloader.Remcos-ffff7e420001049f-9951592-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Remcos-ffff7e420001049f-9951592-0
GetObject call high OLE_VBA_GETOBJ

GetObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `ef4f6a712d8089e53269aab57d74152766c59d7a53b4743a2162252cab2dca5a`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1406 bytes
`vbaProject_00.bin` `afd5d063f6027b32d8dd26d28721568d86649a32c5aada888abc1eb2d2d05c8b`	vba-project	OOXML VBA project: xl/vbaProject.bin	17920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.