Xls.Downloader.b83ac4c497e169b5-9980307-0 Office (OLE) / .XLS malware analysis — malicious · d3b4b33a20ad1c23

MALICIOUS

Office (OLE) / .XLS

65.5 KB Created: 2022-10-24 06:47:42 Authoring application: Microsoft Excel First seen: 2022-10-24

MD5: 4cf039e307c7056bdfaa113ddade244a SHA-1: f6520789ac348fdd4a863fcd1b3ae93f862799ee SHA-256: d3b4b33a20ad1c231d6955526e6282711eac8cc2d6fb89c9f7b353d0f9c574dc

188 Risk Score

Malware Insights

Xls.Downloader.b83ac4c497e169b5-9980307-0 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1105 Ingress Tool Transfer

The sample is an XLS file containing VBA macros. Heuristics indicate the use of Shell() and CreateObject(), suggesting execution of external commands or scripts. The VBA macro attempts to download a payload from the hardcoded URL 'Mh9tV1t549p0sE:W/24/fPor45tihE3oo20k.cD77o6mH' and save it to a temporary file, which is then likely executed. This indicates a downloader functionality.

Heuristics 5

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
ClamAV: Xls.Downloader.b83ac4c497e169b5-9980307-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.b83ac4c497e169b5-9980307-0
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `30b7148822c72f10d201765586b49cf59d51e49b514b2fd1feee7726b7a3de72`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3169 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.