Office (OLE) / .XLS malware analysis — malicious · 47c655c0f2df2ae4

MALICIOUS

Office (OLE) / .XLS

229.0 KB Created: 2020-09-20 21:17:44

MD5: 97046c81c5e314288f28ddd9d71ec0db SHA-1: 7d7d1de8110fe0ad30ca9c6ad299b67667ef8227 SHA-256: 47c655c0f2df2ae448f0c735f199a57366d9076351ee1ad2eaf730f14b49dafe

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.005 Visual Basic

The sample contains Excel 4.0 macros that are automatically executed upon opening. One macro reconstructs and executes a PowerShell command to download a file named 'pd.bat' from 'https://cutt.ly/kjadi5b' to the temporary directory. Subsequent macros manipulate this downloaded file, including setting its attributes to hidden and system, and then executing it. The use of Auto_Open and dangerous formula APIs like RUN indicates a malicious intent to download and execute a second-stage payload.

Heuristics 3

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `7ca4577b57e5fc1a4a6254e4685809d8f1b6c72171f1f1a3ebb3584b1108282f`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	1484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.