Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 7fc2fed914bdc1d7…

MALICIOUS

Office (OLE) / .XLSX

64.5 KB Created: 2021-08-17 12:24:08 Authoring application: Microsoft Excel
MD5: 394347adb75093cadd4a7ef14e5484c9 SHA-1: 5a3ebf3b48986f9cf5469fd3c60c6884141a3268 SHA-256: 7fc2fed914bdc1d7f49bd36d6196fffe818156bd05f48c73ad68021f7723cd4b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file is an Excel spreadsheet containing a VBA macro that is automatically executed upon opening (Auto_Open). This macro utilizes the ScriptControl object to execute code embedded within the document's 'Subject' and 'Comments' properties. The ClamAV detection name 'Xls.Downloader.MirrorBlast' strongly suggests this macro is designed to download and execute a secondary payload. The specific techniques used indicate a downloader functionality.

Heuristics 3

  • ClamAV: Xls.Downloader.MirrorBlast-f8f807074fc98734-9955046-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.MirrorBlast-f8f807074fc98734-9955046-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
0278d22c57457c6ea65486c5e13f4b06bae683e9ef9fa360c905d1932da96848		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 862 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.