Office (OLE) / .XLS malware analysis — malicious · 9074c89858ef0554

MALICIOUS

Office (OLE) / .XLS

263.5 KB Created: 2021-03-24 13:25:50

MD5: 47f7006dc586d532962011c15595100c SHA-1: 254eee7832d7dfe747c8eae34f12524587d50f37 SHA-256: 9074c89858ef05547dc22166379eefbd7a96f9f54df6281945f80643e5ad87c7

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059.001 PowerShell T1059.003 Windows Command Shell T1059.004 JScript/VBScript

The file contains both VBA and XLM macros, with the VBA macro utilizing the URLDownloadToFile API to download a second-stage payload. The XLM macro also indicates the presence of macro functionality. The document body contains seemingly random alphanumeric strings, which may be obfuscation or part of a larger data structure, but the primary malicious activity is driven by the macro's download functionality.

Heuristics 4

Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `b956a91376a4021e8b3248bee4e2f243b4808d6ca35b3d3a5c675b05fe21286e`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	322908 bytes
`macros.bas` `e9c923e0c290247f60bb143a98691e553369e31b999815ed39eea4a0e0174ef4`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3161 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.