Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 c73e70bcabefab8d…

MALICIOUS

Office (OLE) / .XLS

68.5 KB Created: 2022-03-28 06:03:11 First seen: 2022-03-28
MD5: 36125e116418e73ba7dab25fe0d30f1a SHA-1: 78266b0607bce9968abdd941df997b330de6063e SHA-256: c73e70bcabefab8d66385cb8a5fbc4a39451809dc778a19f8a177ee8254d0fde
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1059.003 Windows Command Shell

The sample is a malicious XLS file containing VBA macros. Critical heuristics indicate the use of URLDownloadToFile within VBA, suggesting the macro's purpose is to download and execute a second-stage payload from a remote location. The presence of CreateProcess API references further supports the execution of downloaded content. No specific family could be identified, but the technique is common for initial payload delivery.

Heuristics 5

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7f292ba61bb44b6916aea9847dcdc3b28ffde360bb78700f61095649056aa7b1		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 10396 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.