Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 bec9dda4641527bd…

MALICIOUS

Office (OLE) / .XLS

78.5 KB Created: 2020-11-20 17:59:00 Authoring application: Microsoft Excel
MD5: 71f72945d20fac7bd265f22e4cd8ce0c SHA-1: 0798bc1fcfcd81562c9b34177ed8ed793ba0196f SHA-256: bec9dda4641527bd36779a23976197439164c1fb862f159813075085948bb761
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The file is an Excel 4.0 macro-enabled spreadsheet. The Auto_Open macro triggers the execution of an XLM macro. This XLM macro constructs and executes a PowerShell command to download 'sm.exe' from 'https://cutt.ly/ZhYoHSL' and then moves it to the user's AppData directory, establishing persistence. The VBA macro also calls the XLM macro, reinforcing the execution flow.

Heuristics 4

  • ClamAV: Xls.Malware.Abracadabra-10031695-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Abracadabra-10031695-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
9c9ba5642cac562e50df5d6f9075699d7cd2fd8ddcfebd91fae6698e2d44babc		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 1784 bytes
macros.bas
cd570610748f1d9f3b3da8aecc12295e1dff4beebd51624b3e1fafca26bf9c59		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.