Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 7e1fff8a1f589513…

MALICIOUS

Office (OLE) / .XLS

75.0 KB Created: 2020-10-25 18:24:14 Authoring application: Microsoft Excel
MD5: 1e32a0277e4e20ce9b4fa22caaa2c696 SHA-1: e1b7f195f63b2574d846e2cd2bea6a7e4bcfea57 SHA-256: 7e1fff8a1f5895139d2e9425436abecd0cbdd2618246ffe7616b7f2caba807fd
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1059.005 Visual Basic

The critical ClamAV detection and high heuristic for an Auto_Open macro indicate malicious intent. The XLM macro constructs a PowerShell command to download 'e2.exe' from 'https://cutt.ly/6gLHgfC' and then executes it. The VBA macro also calls an Auto_Open subroutine, which in turn executes the XLM macro, confirming the execution flow.

Heuristics 4

  • ClamAV: Xls.Malware.Abracadabra-10031695-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Abracadabra-10031695-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
08b6f260bc56a5fa625cc2674ea985fc29adb03ab2ff194f6bb7e7ae055876d9		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 1259 bytes
macros.bas
fee65a11429dc10585813f204465c30b1b3c2131639dcde641611baba3f7538f		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 830 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.