Office (OLE) / .XLS malware analysis — malicious · 822d2e533e0537f9

MALICIOUS

Office (OLE) / .XLS

67.5 KB Created: 2022-11-03 08:32:50 Authoring application: Microsoft Excel First seen: 2022-11-03

MD5: 109d15a7d33e671ded911d97bc4a15ab SHA-1: c6660d40673400505c70af85dfddc735fa50a39f SHA-256: 822d2e533e0537f92fa3ddcbd8cb2a0d7c33ba2ada626e1cae4ecf466ac61e9b

188 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1105 Ingress Tool Transfer

The file is an Excel spreadsheet containing VBA macros. Heuristics indicate the presence of Shell() and CreateObject() calls, commonly used for executing downloaded payloads. The script attempts to download content using CreateObject("Msxml2.XMLHTTP"), reconstructs a URL from concatenated strings, and then uses Shell() to execute it. This behavior is consistent with a macro-based downloader.

Heuristics 5

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
ClamAV: Xls.Downloader.d795e45a60a593c6-9978800-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.d795e45a60a593c6-9978800-0
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `56e4fec01fe6a4f65c983310085a5226afb7ff7c932b11c7a9f61c437cc7747f`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3447 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.