Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 6e76bd502c911586…

MALICIOUS

Office (OLE) / .XLS

74.5 KB Created: 2020-10-25 18:24:14 Authoring application: Microsoft Excel
MD5: 55db711144ff4a35faf58d982e7cf727 SHA-1: ea7b59dde9f0600915069dec66f8410f25cb66fd SHA-256: 6e76bd502c91158631cadf485ce44caa4d6504864735593fc23d90477a794d17
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file contains both VBA and Excel 4.0 macros. The Excel 4.0 macro at offset 0x586 is particularly concerning as it constructs and executes a command to download a file named 'vx.exe' from 'https://cutt.ly/ZhqUH1O' using PowerShell. It then attempts to move this downloaded file to the user's AppData directory and execute it. The VBA macro's auto_open subroutine calls a named macro 'Auto_ouvrir51', which likely triggers the malicious XLM macro.

Heuristics 4

  • ClamAV: Xls.Malware.Abracadabra-10031695-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Abracadabra-10031695-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
5d1f115893b012bd3124ee3eaae8b50ae85ceef00efe1f41d4ab48fbf4dfe17b		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 1361 bytes
macros.bas
a0a033b7bdd32db37de2043c5a1608274279a4e47581a8678fdd8bdd9b3ee1d1		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 830 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.