Office (OLE) / .XLS malware analysis — malicious · 47f9dcebf7f47b85

MALICIOUS

Office (OLE) / .XLS

134.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel

MD5: 840c5f1989180fd8a2f621bf3142b59a SHA-1: 230a78dac0611e07719274ab8736bd39d3492d09 SHA-256: 47f9dcebf7f47b85f5d573d0700800de08a6ac3e476194664b6eb1cf16d1cfea

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is an Excel file containing VBA macros, specifically an Auto_Open macro, which is a common technique for initial execution. The ClamAV detection 'Doc.Downloader.Docusign112100-9908075-0' strongly suggests a downloader functionality. Although the VBA script itself primarily manipulates sheet visibility and shapes, the presence of embedded URLs indicates that the macro likely attempts to download and execute a secondary payload from one of the listed IP addresses. The script was truncated, preventing a full analysis of its execution flow.

Heuristics 5

ClamAV: Doc.Downloader.Docusign112100-9908075-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Docusign112100-9908075-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://190.14.37.238/
- http://5.196.247.5/�
- http://94.140.115.118/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `82f9ea84a47774711cea5a3dfab141bccbdd4d96155b8209783ccc6bb1cf8498`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4951 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.