Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 cf4b6e2aa068a745…

MALICIOUS

Office (OLE) / .XLS

74.0 KB Created: 2022-11-29 07:16:03 Authoring application: Microsoft Excel First seen: 2022-12-02
MD5: 472688a4c8612d87b98d74d02c9393e7 SHA-1: f565a3334dbbf2cf3eb3993013b500a427228cc0 SHA-256: cf4b6e2aa068a74522825c87435464aa70977fa428c95854c349942912a5f4bc
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1105 Ingress Tool Transfer

The file is an Excel spreadsheet containing VBA macros. Critical heuristics indicate the use of Shell() and CreateObject() calls, suggesting the execution of external commands or the instantiation of COM objects. The VBA script attempts to download content from a URL using MSXML2.XMLHTTP and then processes the response, likely to download and execute a second-stage payload. The ClamAV detection as 'Xls.Downloader' further supports this assessment.

Heuristics 5

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • ClamAV: Xls.Downloader.b83ac4c497e169b5-9980307-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.b83ac4c497e169b5-9980307-0
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
2ad79b085dc7b5cd9fc4e2ac7c49b8975f5ee62aa59c83654239fde5b5252c80		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 5071 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.