Office (OLE) / .XLS malware analysis — malicious · cb3c1cef71edcfdb

MALICIOUS

Office (OLE) / .XLS

85.5 KB Created: 2021-04-19 10:40:48

MD5: c879be8f24b91b3b6ef06c248bea8239 SHA-1: 6cf4a85af842c42825940c66cf5ac579a3f0b531 SHA-256: cb3c1cef71edcfdb4097fcf20e55646c69636fb8b7bf295568de7ede8d75a870

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059.001 PowerShell T1059.003 Windows Command Shell T1059.004 Unix Shell

The file contains Excel 4.0 macros and VBA macros, with the VBA macros specifically utilizing the URLDownloadToFileA API. This indicates the sample's primary function is to download and execute a second-stage payload from a remote location. The presence of the URLDownloadToFile API call is a critical indicator of this malicious behavior. No specific family could be identified, but the technique is common for initial access and payload delivery.

Heuristics 4

Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `41be2b5c82d9e14d9be1fbaeffee5a79c9b77b94caf7ea9a5931c5a76fa1b8bb`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	680 bytes
`macros.bas` `d266684a4e73395f6d7768123e22ceb5636c1353d8e52aa10e9cd19812879b5c`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2870 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.