Valyria — Office (OLE) / .XLS malware analysis

Static analysis result for SHA-256 94d4ccaf51e8ba1d…

MALICIOUS

Office (OLE) / .XLS

203.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel
MD5: b8e26973e1ea3a93065aecf63cef24dc SHA-1: 1e1634509912c7d28139293e57780b18c06273f7 SHA-256: 94d4ccaf51e8ba1d40ecaa55ade06d878a2b0d78f3c146d586cd2f401eba8bc6
282 Risk Score

Malware Insights

Valyria · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1071.001 Web Protocols

The file is a macro-enabled Excel spreadsheet containing Workbook_Open and Auto_Open macros, indicating it is designed to execute code upon opening. The presence of the URLDownloadToFile API call and embedded URLs strongly suggests the macro's intent is to download and execute a second-stage payload from one of the listed IP addresses. The ClamAV detection as 'Xls.Malware.Valyria-10029771-0' further supports the malicious nature and points to the Valyria family.

Heuristics 8

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • ClamAV: Xls.Malware.Valyria-10029771-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Valyria-10029771-0
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://94.140.114.44/
    • http://103.155.92.211/
    • http://193.38.54.149/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
6ea0dcbce704cc9662a989ee429fec0894ed516bccab67b859e6a519d0cedde3		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3824 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 shell/COM execution token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.