Office (OLE) / .XLS malware analysis — malicious · 506ccf8da148573c

MALICIOUS

Office (OLE) / .XLS

52.0 KB Created: 2022-11-08 07:25:35 Authoring application: Microsoft Excel First seen: 2022-11-08

MD5: 4f0a18cbc6aab80a06a1a42da3177973 SHA-1: fc8785c3da9091ad830d626ee3fe7edd1c16db5d SHA-256: 506ccf8da148573c01a32684fb77e1d18f21b7477621bfd90a0b97062d4115ab

288 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The critical heuristics indicate the presence of VBA macros that utilize Shell() and WScript.Shell, strongly suggesting malicious intent. The VBA script attempts to download content from a URL constructed using obfuscated strings, likely to fetch and execute a secondary payload. The ClamAV detection further confirms its malicious nature as a downloader.

Heuristics 7

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
ClamAV: Xls.Downloader.d795e45a60a593c6-9978800-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.d795e45a60a593c6-9978800-0
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `c1ff1a2d1054fe1a8a113d6651c29552579fbbc7bd21d2b7c911c234757d5943`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3839 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.