Office (OLE) / .XLS malware analysis — malicious · 7d0c933be0e1c72e

MALICIOUS

Office (OLE) / .XLS

133.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel

MD5: 0165319f5497be926734db4dea80c9ff SHA-1: e9edf9cb05909ed69c665fc5af7184f4331ba305 SHA-256: 7d0c933be0e1c72e8de89fc3812e06732ada6a90d988d8bea548cb47c34be8c6

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel spreadsheet containing VBA macros, with high-severity firings for OLE_VBA_MACROS, OLE_VBA_AUTO, and OLE_VBA_AUTOCLOSE. The auto_open macro attempts to run a command from a sheet named 'Niola', suggesting an attempt to execute arbitrary code. The presence of embedded URLs further supports the likelihood of this being a downloader. The ClamAV detection 'Doc.Downloader.Docusign112100-9908075-0' also indicates a downloader functionality.

Heuristics 5

ClamAV: Doc.Downloader.Docusign112100-9908075-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Docusign112100-9908075-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://5.196.247.6/�
- http://94.140.112.149/
- http://84.246.85.196//

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `57dbf314ba8d8e0cd5ae01430a1b3452bf5356fd0c3f739414504ecdf5e48acc`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3568 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.