Office (OLE) / .XLS malware analysis — malicious · d1e95df7803f4ccf

MALICIOUS

Office (OLE) / .XLS

731.0 KB Created: 2019-08-30 09:14:50 Authoring application: Microsoft Excel

MD5: 1e70b858080be64e66e6e5b48d67b24d SHA-1: 7babf395966509a5e1ec2de7c63083a9ffa5dd64 SHA-256: d1e95df7803f4ccf8d49bfa987fc35c5ed89adc89820d8c06e4a1df5bd8e40f3

400 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059.003 Windows Command Shell T1059.001 PowerShell

The sample is an Excel file containing VBA macros. Critical heuristics indicate the presence of a Shell() call and an embedded PE executable. The macros reference Windows APIs such as VirtualAlloc, LoadLibrary, and GetProcAddress, suggesting dynamic code loading and execution. The embedded PE executable, detected by ClamAV as Win.Dropper.Hideproc-6663113-0, is likely the secondary payload. The presence of an unknown URL also warrants attention.

Heuristics 10

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
ClamAV: Win.Dropper.Hideproc-6663113-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Dropper.Hideproc-6663113-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.microsoft.com0
- http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
- http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
- http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0Z
- http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
- http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
- http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `aafcaaf90595ab36360aa7ebea1d205f695ebaa4733d161e0344dd0c919faf50`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	14318 bytes
`embedded_office_000044f1.exe` `be5df4bf1cc2bb1f7e4c31a0f2ce8f6799c752930984441b109f990c21101480`	embedded-pe	Office MZ+PE at offset 0x44F1	730895 bytes
Detection ClamAV: Win.Dropper.Hideproc-6663113-0 Obfuscation or payload: unlikely
`ole10native_00.bin` `c64dcafa616038fea032c518953dfc75dfdce8774d27a2c205eadd410e71075a`	ole-package	OLE Ole10Native stream: MBD0001C810/Ole10Native	611869 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.