Office (OLE) / .XLS malware analysis — malicious · 71c9ca94352f8bae

MALICIOUS

Office (OLE) / .XLS

67.0 KB Created: 2022-11-03 08:36:02 Authoring application: Microsoft Excel First seen: 2022-11-03

MD5: 0f25f3690864d2fddd25776c71536993 SHA-1: e868fb9c23d5c742d4519253535827a292a2a67c SHA-256: 71c9ca94352f8baedaa6b88206f92c5f7b1a0b8e6a5bee346ee7c4524eea829a

188 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The file contains VBA macros that utilize the Shell() function to execute commands. The `freW` function appears to download content from a URL and process it, while `dimostrargli` uses `Shell()` with a constructed command line that likely executes a downloaded payload. The ClamAV detection name 'Xls.Downloader.d795e45a60a593c6-9978800-0' further supports its role as a downloader.

Heuristics 5

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
ClamAV: Xls.Downloader.d795e45a60a593c6-9978800-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.d795e45a60a593c6-9978800-0
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `c1b27f9781bffd6cef5cb7a4a3c2177edfc3c7496a49e9859fa32eceae5e5835`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3400 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.