Office (OLE) / .XLS malware analysis — malicious · 5c00430991a28daf

MALICIOUS

Office (OLE) / .XLS

129.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel

MD5: 8d6af41ee21d0d24be9a8c0443464f3f SHA-1: 2ac4cb1b47a63c03afe242137c03bc460810f726 SHA-256: 5c00430991a28daff019acc9d8c4abdabf88b60aaf49d31d34bf6836dea48caf

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The presence of Auto_Open and Auto_Close macros, along with a critical heuristic firing for URLDownloadToFile, indicates that this Excel file is designed to download and execute a secondary payload. The embedded URLs are the most critical indicators for further investigation. The VBA code itself appears to be primarily for document manipulation, but the macro execution and API call strongly suggest malicious intent.

Heuristics 6

Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
ClamAV: Doc.Downloader.Docusign112100-9908075-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Docusign112100-9908075-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://190.14.37.165/
- http://5.196.247.11/
- http://188.119.113.3/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `fde66e20711a7f15978b94a5a866f07b9d20ea1d8f560b84fb649e896abaaf38`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4585 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.