Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 8bcdac299930fc69…

MALICIOUS

Office (OLE) / .XLSX

7.08 MB Created: 2021-07-01 03:09:21 Authoring application: Microsoft Excel First seen: 2022-04-07
MD5: 227f405c8156ec214c88ede574785056 SHA-1: 3758b9b39e5b3e8cf56a26ceb06982a57a50d58e SHA-256: 8bcdac299930fc69c9d4df5896c1ccdd64f23dcbcd217ea257fafeab2218fbe4
162 Risk Score

Malware Insights

MITRE ATT&CK
T1547.001 Registry Run Keys / Startup Folder T1059.005 Visual Basic

The file is an Excel spreadsheet containing VBA macros. The Auto_Open macro is designed to copy the workbook to the Excel startup folder as 'mypersonnel.xls', establishing persistence. The Auto_Close macro attempts to convert the file to an older .xls format and delete the .xlsx version. The ClamAV detection and the presence of Auto_Open/Auto_Close macros strongly indicate malicious intent, likely for persistence or further payload delivery.

Heuristics 5

  • ClamAV: Xls.Malware.ExcelSic-10004731-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.ExcelSic-10004731-1
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://groupebel-my.sharepoint.com/Users/vcom409.THM/AppData/Local/Temp/notes758E9C/TAY
    • https://groupebel-my.sharepoint.com/Users/vcom815/Documents/Thang
    • https://groupebel-my.sharepoint.com/Bao
    • https://groupebel-my.sharepoint.com/Users/vcom656/Desktop/Bao
    • https://groupebel-my.sharepoint.com/Users/Vcom940/AppData/Local/Temp/notes1B744C/MCP_DungNamSon_T5_Final.xlsx
    • https://groupebel-my.sharepoint.com/Document/DMS/New/THPDMS
    • https://groupebel-my.sharepoint.com/Users/vcom815/AppData/Local/Temp/notes1B744C/ha
    • https://groupebel-my.sharepoint.com/Users/admin/Desktop/cutoverplan_TrueMart
    • https://groupebel-my.sharepoint.com/Users/admin/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/0WL6ZO4M/Project
    • https://groupebel-my.sharepoint.com/Users/Administrator/AppData/Local/Microsoft/Windows/Temporary

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
d49b3eed57ea333340314eacd5bf3454f6a2ba3085f3bfa723034dd1a2d97cfb		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1510 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.