Office (OLE) / .XLS malware analysis — malicious · 573c027bb32fa18d

MALICIOUS

Office (OLE) / .XLS

459.5 KB Created: 2020-09-29 08:29:49

MD5: 636ca9dbd130a033393cd1623d3889af SHA-1: 58d9fc4de7a75437a6186e49b71fb44a8738e01c SHA-256: 573c027bb32fa18da9da218823e4aba53fa97ddb9e9a4e84f1c3e05ec2cd95b1

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059.001 PowerShell

The sample is an XLS file containing VBA macros, with a high-confidence Workbook_Open heuristic firing. This indicates that malicious code is designed to execute automatically when the workbook is opened. The presence of a 'CreateObject' call and the extraction of a 'macros.bas' file further support the execution of arbitrary code. The likely intent is to download and execute a second-stage payload, a common technique for initial access.

Heuristics 4

Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `54773c15745a9bc19f70d1ee0727c2202c65170058fb58307304ae3b49d6aa64`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4389 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.