Office (OLE) / .XLS malware analysis — malicious · 7a6354bef3b99340

MALICIOUS

Office (OLE) / .XLS

56.5 KB Created: 2020-04-09 12:37:45 Authoring application: Microsoft Excel

MD5: 393900a64e2c3406576056080f9e9285 SHA-1: 662aec0ceb1185362dbccfe2600f3cced8dd7d5f SHA-256: 7a6354bef3b99340b5a510e8085b96e95ad6bb9faf1dd296daf24032e90ffbe5

280 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The XLS file contains VBA macros that utilize WScript.Shell to execute commands. The `Redem` function appears to be designed to execute a command and capture its output, while the `clos` function calls `Redem` with a reconstructed string that is likely a command to be executed. This strongly suggests the macro's purpose is to download and run a secondary payload.

Heuristics 6

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
ClamAV: Xls.Dropper.Agent-7667990-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-7667990-0
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `8b2765daca1fdc7a1d1c984881f5c9747ebbedc655f44388708ce3e9a7a100d3`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1761 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.