Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 c0e7779d3ee55e9d…

MALICIOUS

Office (OLE) / .XLS

670.5 KB Created: 2020-12-14 12:22:57 Authoring application: Microsoft Excel
MD5: 9909775be4d2e9cd06957e9819e77d0e SHA-1: 130512f34f289b8d90d0d16e7813efa6c85be12e SHA-256: c0e7779d3ee55e9d37636184c44671d1a778d6a81513efba0a325143bf4d6d2b
380 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The XLS file contains VBA macros, including a Workbook_Open auto-execution routine. This routine utilizes the Shell() function, indicating an attempt to execute arbitrary commands or download additional payloads. The presence of WScript references further supports the execution of external scripts. While no specific family is identified, the macro-based execution is a common delivery method for various malware types.

Heuristics 9

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • ClamAV: Xls.Packed.Logan-9752153-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Packed.Logan-9752153-0
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
2635221479a05de31d2f260d507b9eaa7f37ce921ac6af92ef3fd2348c9c64ba		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 61805 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin
e33e31bea5eaaab7f7e4adab9e161405e565969c79bd911aafb503e0d1c6ed7f		 ole-package OLE Ole10Native stream: MBD0049F25B/Ole10Native 439111 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.