Xls.Downloader.b83ac4c497e169b5-9980307-0 Office (OLE) / .XLS malware analysis — malicious · 6259dad101702a20

MALICIOUS

Office (OLE) / .XLS

74.0 KB Created: 2022-11-29 07:16:03 First seen: 2022-12-02

MD5: 9f7fb6c8ce67df544360de18646ed44c SHA-1: 0db850bb8f9bc9d0d93f161022de46cf22a3073b SHA-256: 6259dad101702a20740fbf05c50d1e76378c500c2ff95641598e43a6ca51b736

188 Risk Score

Malware Insights

Xls.Downloader.b83ac4c497e169b5-9980307-0 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer T1059 Command and Scripting Interpreter

The file is an XLS document containing VBA macros. Heuristics indicate the presence of Shell() and CreateObject() calls, commonly used for executing commands and downloading payloads. The VBA script attempts to download content from a URL using MSXML2.XMLHTTP and then process it, likely to fetch and execute a secondary malicious payload.

Heuristics 5

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
ClamAV: Xls.Downloader.b83ac4c497e169b5-9980307-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.b83ac4c497e169b5-9980307-0
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `ea9aa5786435bec4eb395abb65c6116c3ff1fbdb76bac19e19b704997c425094`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5077 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.