Remcos — Office (OLE) / .XLS malware analysis

Static analysis result for SHA-256 96bf0039c8086e96…

MALICIOUS

Office (OLE) / .XLS

440.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel
MD5: 06278f61fb1e92e3f197930234fa6eb8 SHA-1: 34b83031b8bcbfeb820fa65a09f6e480a4f430b0 SHA-256: 96bf0039c8086e96b175fc8c5d09bd6ebb70c40a7f3a00293eebe287da4ecc8c
120 Risk Score

Malware Insights

Remcos · confidence 95%

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic

The critical ClamAV detection explicitly identifies the sample as 'Xls.Downloader.Remcos'. The VBA macros contain obfuscated PowerShell code that, when deobfuscated, attempts to download and execute a VBS file from a suspicious URL. The GetObject heuristic further supports the malicious nature of the macros.

Heuristics 3

  • ClamAV: Xls.Downloader.Remcos-ffff7e420001049f-9951592-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Remcos-ffff7e420001049f-9951592-0
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
9240bbde8d695b020292581b3dd082dbd5e366f70de4070451cec25d428895eb		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2947 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.