Remcos Office (OLE) / .XLS malware analysis — malicious · 816abb5c4f9330bd

MALICIOUS

Office (OLE) / .XLS

118.5 KB Created: 2022-01-10 20:09:15 Authoring application: Microsoft Excel

MD5: fbc3185f7dd9ba85181a7b500eee139a SHA-1: 9751c61ea34297b0a64de7d728a74936011be605 SHA-256: 816abb5c4f9330bdeec1a371831d6086a10f8c2605288bd4c3120f3b3e7daa06

200 Risk Score

Malware Insights

Remcos · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Excel file containing VBA macros. The macros leverage ShellExecute and CreateObject to download and execute a second-stage payload. The ClamAV detection name 'Xls.Downloader.Remcos' strongly suggests the Remcos family, and the VBA code appears to be designed to download and run further malicious content.

Heuristics 5

ClamAV: Xls.Downloader.Remcos-ffff7e420001049f-9951592-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Remcos-ffff7e420001049f-9951592-0
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `414c49891a269ba4e6797f162377596cccad1b4eaccad1092a8ffd85c472fffd`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1435 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.