Office (OLE) / .XLSX malware analysis — malicious · ccf9c52f4542acef

MALICIOUS

Office (OLE) / .XLSX

75.0 KB Created: 2020-10-25 18:24:14 Authoring application: Microsoft Excel

MD5: 7ba7817848e5d33a4f5b301b075120d8 SHA-1: eacf413cf0b6db5ae2f36149dfd2792812a257f7 SHA-256: ccf9c52f4542aceff583c50226397e1f31630836f08ab40759e01eeaa5538ef4

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The file contains both VBA and Excel 4.0 macros. The VBA macro 'auto_open' triggers an Excel 4.0 macro named 'Auto_ouvrir52'. This Excel 4.0 macro constructs and executes a PowerShell command to download a file named 'qc.exe' from 'https://cutt.ly/XgX89zi' and then moves it to the user's AppData directory. Finally, it executes the downloaded payload.

Heuristics 4

ClamAV: Xls.Malware.Abracadabra-10031695-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Abracadabra-10031695-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `f56e0a568bb0a4dbb841c50904d8c964326ee45ecae54185800db1c6516cd7db`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	1259 bytes
`macros.bas` `fee65a11429dc10585813f204465c30b1b3c2131639dcde641611baba3f7538f`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	830 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.