Office (OLE) / .XLS malware analysis — malicious · 4a54cfb85494d095

MALICIOUS

Office (OLE) / .XLS

260.0 KB Created: 2021-03-24 14:30:16

MD5: ff55513663c88588b990cfae6db5eefc SHA-1: ff0fc0f31c13d881f88c6edce35da2f818719132 SHA-256: 4a54cfb85494d095d661abd0f3ed90a511a9db81f467440a7aa2a7bd020db961

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The file is an Excel spreadsheet containing both XLM and VBA macros. The VBA macro utilizes the URLDownloadToFile API, indicating an intent to download and execute a second-stage payload from a remote source. The presence of both macro types and the use of a common download API strongly suggest a malicious downloader. The specific URL or filename for the payload is not directly extractable from the provided script excerpts.

Heuristics 4

Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `ac95c261aed82fff072fd82b8114928c926492b43cea76c4eec931c6142a8d1a`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	314094 bytes
`macros.bas` `b8d3029dc5d2c72d16c60d61c7fb8648e2c30ad29086d905012ca42040f627fe`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3099 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.