Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 8bf42402c94dd09d…

MALICIOUS

Office (OLE) / .XLS

401.0 KB Created: 2020-11-20 17:59:00 Authoring application: Microsoft Excel
MD5: 801a1b2fabc8acfbe85ad0790df77949 SHA-1: 971d4f88ffd0573e52a2d0de41cc9efcbf50fa18 SHA-256: 8bf42402c94dd09d86d6818f3a20d62eabdc9e1980d10110e73512a136679ef6
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The file contains both VBA and Excel 4.0 macros, with the latter being triggered by the Auto_Open subroutine. The Excel 4.0 macro constructs and executes a PowerShell command to download a file named 'gu.exe' from 'https://cutt.ly/EhTZ5NQ' and save it to the user's AppData directory. The VBA macro appears to be a loader for the XLM macro, setting up the necessary conditions for its execution.

Heuristics 4

  • ClamAV: Xls.Malware.Abracadabra-10031695-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Abracadabra-10031695-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
3ccff36561b798f2fe94cce574a9b77865f8f19e787169f4a7cb59376761b37f		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 1784 bytes
macros.bas
cd570610748f1d9f3b3da8aecc12295e1dff4beebd51624b3e1fafca26bf9c59		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.