Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 691c949542e958fa…

MALICIOUS

Office (OLE) / .XLS

74.0 KB Created: 2022-11-29 07:16:03 First seen: 2022-12-02
MD5: fc66380a39f620847d2aa1b091244cef SHA-1: 70749ea2bdc2e6b72b3760d86e9532bfaa387665 SHA-256: 691c949542e958fa3de7c85d253ba05d2ad1da0c4919ba5d2dfa64649e6f149a
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1059.003 Windows Command Shell

The file contains VBA macros, including a critical 'Shell()' call and a 'CreateObject()' call, indicating it attempts to execute commands or external programs. The macro function 'HTML_PDF' uses 'MSXML2.XMLHTTP' to fetch content from a URL, which is then processed by 'trombetta' and 'hvenivate' functions. This suggests the macro is designed to download and execute a second-stage payload, consistent with a downloader malware.

Heuristics 5

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • ClamAV: Xls.Downloader.b83ac4c497e169b5-9980307-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.b83ac4c497e169b5-9980307-0
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
2ad79b085dc7b5cd9fc4e2ac7c49b8975f5ee62aa59c83654239fde5b5252c80		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 5071 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.