Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 865251134f7aa91a…

MALICIOUS

Office (OLE) / .XLSX

53.0 KB Created: 2020-11-20 17:59:00 Authoring application: Microsoft Excel
MD5: 9b914ffb20240b7f5b03a8f8bbb4b937 SHA-1: 0f3a0f49345ea9fff7bb5519bf37704819add24c SHA-256: 865251134f7aa91ac0ba1d8320de0900d84758b5423ee22cb2d56f7a9866ee2c
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample contains both VBA and Excel 4.0 macros. The Auto_Open macro in the VBA script and the EXEC function in the XLM macro both construct and attempt to run a PowerShell command. This command is designed to download a file from 'https://tinyurl.com/y2ua6dah' and save it as 'co.exe' in the user's AppData directory, then execute it. This indicates a downloader or dropper functionality.

Heuristics 4

  • ClamAV: Xls.Malware.Abracadabra-10031695-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Abracadabra-10031695-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
d9651c84922a814fe441fde7c34a9c9c67ab621ba5cf68e85d12b6f9c79ebfbf		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 1829 bytes
macros.bas
6d63cb86a5ee5dd02f48e36073c641f88f8f36c38152f861499967ac4cdc3005		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1069 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.