Office (OLE) / .XLS malware analysis — malicious · 49f9b69fafd7f58c

MALICIOUS

Office (OLE) / .XLS

86.0 KB Created: 2020-10-25 18:24:14 Authoring application: Microsoft Excel

MD5: ce1a402c713afd8f50a597ec8f639ae6 SHA-1: 9467d4fea8f4cb16fce76e2380720d1cadf29c9b SHA-256: 49f9b69fafd7f58cb4dc1bc050ba4af951465ca255102abcdcf16b62385175da

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample is an Excel 4.0 macro-enabled spreadsheet. The Auto_Open macro and XLM macros contain obfuscated commands that reconstruct to PowerShell commands. These commands are designed to download a file named 'mn.exe' from 'https://tinyurl.com/y6de9myn' and execute it. The script also attempts to move the downloaded file to the user's AppData directory, indicating a downloader or droppper functionality.

Heuristics 4

ClamAV: Xls.Malware.Abracadabra-10031695-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Abracadabra-10031695-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `cd033aea30b46665e5020dd611ce1b68b56dd04a5147e7099194e1a86cac6c2d`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	1456 bytes
`macros.bas` `c14dd6d2332aec42601f638d9220a7d42954f10b6b83884a1c68d4a74f82d1bb`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1020 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.