Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 9410963eae7c433d…

MALICIOUS

Office (OLE) / .XLSX

55.5 KB Created: 2022-11-29 07:16:03 Authoring application: Microsoft Excel First seen: 2022-11-30
MD5: 662bbbc67893f53925e754d50945f90d SHA-1: 0b2358512298ca1f9439518706fec569bf657fdd SHA-256: 9410963eae7c433de31fd268bdb5823682407e5a92102a220e9bddf170b9b552
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The Excel file contains VBA macros that utilize the CreateObject function to instantiate MSXML2.XMLHTTP and the Shell() function to execute downloaded content. The HTML_PDF function attempts to download content from a provided URL, which is then processed by other functions. This indicates a downloader pattern designed to fetch and execute a secondary payload.

Heuristics 5

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • ClamAV: Xls.Downloader.b83ac4c497e169b5-9980307-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.b83ac4c497e169b5-9980307-0
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7aa807d266e0fbfc057565ac72ebadfaaae7c974f83a8f70f0e053cfba7655ac		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 5075 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.