Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 aab6d3e32436f212…

MALICIOUS

Office (OLE) / .XLS

50.0 KB Created: 2021-03-29 13:07:45
MD5: f2b6af138796806a5bc62f323d27682b SHA-1: e23c7750116dbd15a9a7a5239b9465f43c46034a SHA-256: aab6d3e32436f21299284820659ceddc446fda65f83e1f5b67d6f27c84c86528
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059.001 PowerShell T1059.003 Windows Command Shell

The file contains both Excel 4.0 (XLM) and VBA macros. The VBA macro explicitly uses the URLDownloadToFileA API, indicating an intent to download and execute a second-stage payload from a remote source. The presence of both macro types and the direct API call strongly suggest a malicious downloader. No specific family could be identified.

Heuristics 4

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
304f284b0294f859dfb42ee305369f0c6918dac523a4e0c9c640e7c4fab24985		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 680 bytes
macros.bas
7c7ff10fd61dff57808dbe15ef21419e0ad0106688146415bab276db9d74883c		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2867 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.