Xls.Downloader.b83ac4c497e169b5-9980307-0 — Office (OLE) / .XLS malware analysis

Static analysis result for SHA-256 c8e23948a553cc3d…

MALICIOUS

Office (OLE) / .XLS

50.0 KB Created: 2022-08-31 08:29:17 Authoring application: Microsoft Excel First seen: 2022-08-31
MD5: d607a28736834608ad8bc1a7642aebc1 SHA-1: 48d3ddd71c75177735924fd14b2638e4d03dcf0b SHA-256: c8e23948a553cc3d7bed2a44a54ac54a5ae85800ce720826b6c224ba53ceb18e
240 Risk Score

Malware Insights

Xls.Downloader.b83ac4c497e169b5-9980307-0 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The VBA macro contains a call to URLDownloadToFileA, which is used to download a file from a URL. The URL is constructed from a hex-encoded string and appears to be 'http://104.116.116.115:92c92o10197Q11512111611111611111410597m10846y99N111109'. This functionality strongly suggests the sample acts as a downloader for a second-stage payload. The ClamAV detection name also indicates a downloader family.

Heuristics 5

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • ClamAV: Xls.Downloader.b83ac4c497e169b5-9980307-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.b83ac4c497e169b5-9980307-0
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
ecde2d354ff6d1c7d529a29320e2b5b209e048c9fcf13ea7039723cf5e3a7758		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2495 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.