Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 7b7be09d022f8026…

MALICIOUS

Office (OLE) / .XLS

829.5 KB Created: 2020-06-15 21:02:49 Authoring application: Microsoft Excel
MD5: 6a8dd77cc92fe9d0e992f01885941c85 SHA-1: 19317df3889e9fc4458a07c7bf80dcbcc39e096a SHA-256: 7b7be09d022f80263c113ac9be30b162c88fb5993eef4ee76170f4f259163f47
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1218.011 Signed Binary Proxy Execution: Rundll32 T1059.003 Windows Command Shell T1105 Ingress Tool Transfer T1218.010 Signed Binary Proxy Execution: Regsvr32

The presence of Excel 4.0 macros, specifically the Auto_Open function, indicates a malicious intent to execute code upon opening the document. The heuristics confirm the use of ShellExecute and URLDownloadToFile APIs, suggesting the macro downloads and runs a payload. The reconstructed URL 'https://memberteam.works/templatesb/superthemen.php' is the likely source of this payload, which is expected to be an executable like 'yuiEtky.exe'. The macros also show evidence of using 'regsvr32.exe' and 'rundll32.exe' for execution, common techniques for bypassing security controls.

Heuristics 6

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • XLM Auto_Open with dangerous formula APIs high OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://memberteam.works/templatesb/superthemen.php
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
75ebda51797105305a2e2e0509bcb32067f54960fcb45cc357703084fb512b88		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 138612 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.