Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 cd315439089bed56…

MALICIOUS

Office (OLE) / .XLS

54.0 KB Created: 2021-03-31 11:03:48
MD5: 4a5ec51358843b301c202bd898abfdb3 SHA-1: ed537e657e3debbd7877fcffea6feafd3c983d3a SHA-256: cd315439089bed5676f19ac3eaae192497d36a5ecc5419ec783afb7440ac17fe
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1059.001 PowerShell

This XLS file contains Excel 4.0 macros and VBA macros. The VBA macro utilizes the URLDownloadToFileA API, indicating an intent to download and execute a second-stage payload from a remote source. The presence of both macro types suggests a multi-stage infection process, common in various malware families. The document body text is heavily obfuscated and does not provide clear user-facing lures.

Heuristics 4

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
dd0b0d5568b93d5cbe3417cc64209fece3981e3362b24e5d68eaa284315b7540		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 686 bytes
macros.bas
35fb6a16f5fe320dd3eb1ab6e63570c1b01582ba7f735952a25d5316371188db		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2865 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.