Office (OLE) / .XLS malware analysis — malicious · 7342103dcccaef9a

MALICIOUS

Office (OLE) / .XLS

410.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel

MD5: 6914ea6d7958fff64c588be284e972a5 SHA-1: 4c8e33fcd0c9418817a984486368c1c92e6198ec SHA-256: 7342103dcccaef9a164f7effea9b0c48e76409bfa163fc137803b03f3d539b3b

262 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The presence of Workbook_Open and Auto_Open macros, along with a critical heuristic firing for URLDownloadToFile API, indicates that the Excel file is designed to execute malicious code upon opening. The macros likely download and execute a second-stage payload from one of the embedded URLs, which are currently untrusted. The ClamAV detection further supports the malicious nature of the file.

Heuristics 7

Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
ClamAV: Xls.Malware.Valyria-10029771-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Valyria-10029771-0
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://188.165.62.10/
- http://185.82.202.248/
- http://84.246.85.241/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `5a93fdb6f254ca5fb402631b6f65405fa671c41dc19a0d9e83d6d2bc3ec0b2be`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3979 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.