Office (OLE) / .XLS malware analysis — malicious · 5cf7bc9a59fcd10c

MALICIOUS

Office (OLE) / .XLS

62.5 KB Created: 2020-05-04 07:48:11 Authoring application: Microsoft Excel

MD5: b6f7af2ec063c060e91b76ded8fabc24 SHA-1: 58fda604e5926c06e479c7fd4f6b14c31a4ee588 SHA-256: 5cf7bc9a59fcd10c02ca84c8dc4993b6f4425c645d863e69ea146668acf244a4

280 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample is an Excel document containing VBA macros. The macros utilize WScript.Shell and CreateObject to execute commands, likely downloading and running a second-stage payload. The presence of 'Doc.Dropper.Agent-7758917-0' in ClamAV detection further supports its role as a dropper.

Heuristics 6

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
ClamAV: Doc.Dropper.Agent-7758917-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-7758917-0
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `afee68aba5b0c8fd334b28a3c823e20205b61e3a8a8c5396e0288baab6822680`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1268 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.