Office (OLE) / .XLS malware analysis — malicious · 4648edc370e61a52

MALICIOUS

Office (OLE) / .XLS

67.0 KB Created: 2021-08-17 12:24:08 Authoring application: Microsoft Excel

MD5: 128a2d6105360896238515c941c67f88 SHA-1: b602a512b58a089d5b2df45cd43f778e811a9b83 SHA-256: 4648edc370e61a52c95d3f525391e0154406fd661d01d091f2d9dba9f8a485f2

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1218.011 Signed Binary Proxy Execution: Rundll32

The file is an XLS document containing a VBA macro that leverages the MSScriptControl.ScriptControl object, as indicated by the CVE-2015-0097 heuristic. The Auto_Open macro is present and uses the ScriptControl to execute code embedded within the document's properties ('Category' and 'Title'). This technique is commonly used to download and execute further malicious payloads. The ClamAV detection name 'Xls.Downloader.MirrorBlast' also suggests a downloader functionality.

Heuristics 4

MSScriptControl.ScriptControl — CVE-2015-0097 high CVE likely CVE_2015_0097_SC

MSScriptControl.ScriptControl — CVE-2015-0097
ClamAV: Xls.Downloader.MirrorBlast-f8f807074fc98734-9955046-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.MirrorBlast-f8f807074fc98734-9955046-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `b098990a4977172c41d7395f7514aa87c28b8af87e6e2a8a29c403c6443a20b2`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1176 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.