Office (OLE) / .XLS malware analysis — malicious · 78f2ea23aebfd3a8

MALICIOUS

Office (OLE) / .XLS

75.0 KB Created: 2020-10-25 18:24:14 Authoring application: Microsoft Excel

MD5: e5dda7ab892e915ffd5860851d5c1410 SHA-1: 3552d758401d01b1456d933cc0109212a3234bf1 SHA-256: 78f2ea23aebfd3a8ba4efb648bc44e8eb8271bc1b340b6894bad935ce6ae89c7

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 PowerShell T1059.001 PowerShell T1204.002 Malicious File

The file contains both VBA and Excel 4.0 macros, with the VBA auto_open macro triggering an Excel 4.0 macro. The Excel 4.0 macro constructs and executes a PowerShell command to download a file named 'qr.exe' from 'https://cutt.ly/0gZ8dqw'. It then moves the downloaded file to the user's AppData directory and executes it. This indicates a downloader functionality.

Heuristics 4

ClamAV: Xls.Malware.Abracadabra-10031695-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Abracadabra-10031695-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `5818449db82d8ff1d15ec4b7cc549e3861d32327884ad511cef5a4f3bb75ab7e`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	1259 bytes
`macros.bas` `fee65a11429dc10585813f204465c30b1b3c2131639dcde641611baba3f7538f`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	830 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.