Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 6e7b7a338cf0974d…

MALICIOUS

Office (OLE) / .XLS

401.0 KB Created: 2020-11-20 17:59:00 Authoring application: Microsoft Excel
MD5: c6a27fffdcdc13b2b34424746dcfc862 SHA-1: 2f9e7a1428b6cf82ee1b649b5a339445c1391879 SHA-256: 6e7b7a338cf0974dbd22b2852d8bbb9180af9d21487e3c7c0dca4ee1881c369b
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains both Excel 4.0 macros and VBA, with an Auto_Open macro triggering the execution. The XLM macro at Macro!D128 constructs a command to download 'ii.exe' from 'https://cutt.ly/hhRpWNM' using PowerShell, and Macro!D129 moves it to the AppData directory. This indicates a downloader functionality, likely delivered via spearphishing.

Heuristics 4

  • ClamAV: Xls.Malware.Abracadabra-10031695-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Abracadabra-10031695-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
02e3da2dceb1f931679011db9c10a6b82944f2ed276d185f4c78713a59ae86b8		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 1784 bytes
macros.bas
cd570610748f1d9f3b3da8aecc12295e1dff4beebd51624b3e1fafca26bf9c59		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.