Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 524a2c7a97d8323f…

MALICIOUS

Office (OLE) / .XLS

168.0 KB Created: 2021-12-30 09:35:28 Authoring application: Microsoft Excel
MD5: 9e1035f36da93aa7089f12702c221c05 SHA-1: a9372f041ad8e773e62b7708d5e4302c276964df SHA-256: 524a2c7a97d8323f5de3ca9ba3190e372d6f6e076522283a9697324d94ffcd38
368 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The critical heuristic OLE_VBA_DOWNLOAD and the presence of a Workbook_Open macro indicate that this XLS file is designed to download and execute a secondary payload. The VBA code explicitly calls the URLDownloadToFileA API, suggesting an attempt to fetch and run additional malicious content. The ShellExecuteA API is also referenced, further supporting the execution of downloaded content. The ClamAV detection as Xls.Malware.Valyria-10028013-0 confirms its malicious nature.

Heuristics 9

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • ClamAV: Xls.Malware.Valyria-10028013-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Valyria-10028013-0
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
2e23fc8406ee2dd5893dfe4cfc900f74c85a075d50c8fe6235b8a6f0864b8121		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 12133 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.