Office (OLE) / .XLS malware analysis — malicious · 849b1832a1893b45

MALICIOUS

Office (OLE) / .XLS

410.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel

MD5: 0bef90cc50274dcd8f37e7e9709daf52 SHA-1: fe8677f3509186bddb4fdc1f6e2a1f4ef0a48f5e SHA-256: 849b1832a1893b45f5410a1d036e32ac900d5262eca2ddd585f121721cf8073f

262 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The file is an Excel spreadsheet containing VBA macros, including Workbook_Open and Auto_Open, which are commonly used to execute malicious code upon opening. The heuristic firings indicate the use of URLDownloadToFile API and embedded URLs, suggesting the macro's purpose is to download and execute a second-stage payload from one of the provided IP addresses. The ClamAV detection further confirms its malicious nature.

Heuristics 7

Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
ClamAV: Xls.Malware.Valyria-10029771-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Valyria-10029771-0
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://188.165.62.10/
- http://185.82.202.248/
- http://84.246.85.241/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `5a93fdb6f254ca5fb402631b6f65405fa671c41dc19a0d9e83d6d2bc3ec0b2be`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3979 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.