Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 9caed14e7f7d3e47…

MALICIOUS

Office (OLE) / .XLS

71.5 KB Created: 2020-04-23 08:50:03 Authoring application: Microsoft Excel
MD5: 1ffa1ecdbfdd5c8f84fce0ab33296b30 SHA-1: e9eae2067a2a32b0d31b5ad8f6d8a7f18e6c8688 SHA-256: 9caed14e7f7d3e4706db2e74dc870abff571cce715f83ef91c563627822af6ad
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell

The file is identified as malicious by ClamAV with the signature Xls.Malware.Agent-7700294-0. Static analysis detected VBA macros and a CreateObject call, indicating the execution of embedded code. The presence of WScript references further supports the execution of scripts. The primary function appears to be downloading and executing a second-stage payload, as suggested by the heuristic firings.

Heuristics 4

  • ClamAV: Xls.Malware.Agent-7700294-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Agent-7700294-0
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
0cb99f4cb7b5f3fecd61c90a3d048dbc81bcb2e4dc13020b064fdb641d452a91		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1199 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.