Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 c8531de8e1d8bf5c…

MALICIOUS

Office (OLE) / .XLS

133.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel
MD5: dee40af6dd65edaa4fa8e9a482d56258 SHA-1: 2ca08a2279cb59e0ffe8ae146c92990ba686fc36 SHA-256: c8531de8e1d8bf5c1c19ab912da4bc1e9d9719cfa53559d3ffd635d13e1422bd
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an Excel file containing VBA macros, with both Auto_Open and Auto_Close subroutines present, indicating malicious intent. The Auto_Open macro attempts to run a function that likely initiates a download process using embedded URLs. The ClamAV detection as 'Doc.Downloader' further supports this. The VBA code is partially obfuscated but clearly indicates the execution of embedded macros upon opening, which is a common technique for downloading and executing further stages of malware.

Heuristics 5

  • ClamAV: Doc.Downloader.Docusign112100-9908075-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Docusign112100-9908075-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://5.196.247.6/�
    • http://94.140.112.149/
    • http://84.246.85.196//

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
57dbf314ba8d8e0cd5ae01430a1b3452bf5356fd0c3f739414504ecdf5e48acc		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3568 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.