Office (OLE) / .XLS malware analysis — malicious · 8587fbc19b3dd23e

MALICIOUS

Office (OLE) / .XLS

138.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel

MD5: e66e2ba99febe7e96ac545d802db0b3b SHA-1: 0d40ffa9df3c755bda516afcb875660d26ba783b SHA-256: 8587fbc19b3dd23e1e21bc3080331e374ef4fb922b200bc850d4bbe65c98cc18

160 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.005 Visual Basic

The file is a macro-enabled Excel spreadsheet containing Auto_Open and Auto_Close VBA macros, indicating malicious intent. The VBA code appears to manipulate sheet visibility and button states, but the critical heuristic is the presence of these auto-executing macros. The ClamAV detection 'Doc.Downloader.Docusign112100-9908075-0' strongly suggests this is a downloader. The VBA script itself is heavily truncated, preventing a full analysis of its execution flow, but the presence of Auto_Open and Auto_Close macros is sufficient to infer a downloader pattern.

Heuristics 4

ClamAV: Doc.Downloader.Docusign112100-9908075-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Docusign112100-9908075-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `fb22496bd446d487f3c1e4ff1f3a9cfe52f7b3aaa2723a7a38debb1a03452daa`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5273 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.