Office (OLE) / .XLS malware analysis — malicious · 765a0b4da72ab643

MALICIOUS

Office (OLE) / .XLS

60.5 KB Created: 2021-04-19 12:03:22

MD5: 43f414109ce2d6499a026495da965d4c SHA-1: 2e758022671b7e8b2b34d1e0f4b8084a1e824eed SHA-256: 765a0b4da72ab6434010d966df81d1853a6dcb1327b609319332390856c4ac73

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

The file is an Excel 4.0 macro-enabled spreadsheet containing VBA code. Heuristics indicate the presence of macros and the use of the URLDownloadToFile API, a common technique for downloading secondary payloads. The ClamAV signature 'Xls.Downloader.Valyria-10002374-0' further confirms its malicious nature as a downloader. The VBA macro explicitly calls the 'URLDownloadToFileA' function from 'urlmon.dll', strongly suggesting the intent to download and execute a further stage of malware.

Heuristics 5

Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA
ClamAV: Xls.Downloader.Valyria-10002374-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Valyria-10002374-0
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `b04022b273d2a263c1735c81e702717997f2a644097de98a1745cf56fe4b3200`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	667 bytes
`macros.bas` `aebc90d30305bcfa2458c7bca61e1ca06c91ef14bb7bb6d1248a3f6300711a3a`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2834 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.