Office (OLE) / .XLS malware analysis — malicious · 894f5d626d1fff01

MALICIOUS

Office (OLE) / .XLS

139.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel

MD5: 8d69a9b6f84e7edde1329bf18f404beb SHA-1: 054fdd05f3fbe124410201f94eb5cc5e8fcd5071 SHA-256: 894f5d626d1fff01304e87e4e9e436b8c05a8c098e9638f22eb597c7f4406500

220 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.005 Visual Basic

The file is an Excel spreadsheet containing VBA macros, with the Auto_Open macro being a strong indicator of malicious intent. The ClamAV detection name 'Doc.Downloader.Docusign112100-9908075-0' suggests it functions as a downloader. While the provided VBA script excerpt is truncated, the presence of Auto_Open and Auto_Close macros, along with the downloader heuristic, indicates the primary purpose is to execute malicious code upon opening, likely to fetch and run a second-stage payload.

Heuristics 5

Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
ClamAV: Doc.Downloader.Docusign112100-9908075-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Docusign112100-9908075-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `f4e48281b213290d1746a751faaf23e6f325824bbdf08ac884120321e035c7eb`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5180 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.