Office (OLE) / .XLS malware analysis — malicious · d3bf5ac8786b4ae8

MALICIOUS

Office (OLE) / .XLS

63.5 KB Created: 2022-11-10 07:57:43 Authoring application: Microsoft Excel First seen: 2022-11-10

MD5: a7c46f5427a76c8e4338ea9fdf0056c8 SHA-1: 433bb9bcc4a56c305c196cebc4d370ebc6b97add SHA-256: d3bf5ac8786b4ae8e33c646098065b1fbbd68b3f3b4a8eb2c649cd33d43a0bba

188 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1105 Ingress Tool Transfer

The sample contains VBA macros that utilize the Shell() function to execute commands. The script decodes a base64 string to construct a URL, 'https://1y2ou4bi60ci.com/c12o-m', which is then used to download a second-stage payload. This payload is saved as 'C:\cal.exe' and executed via 'rundll32.exe'. The ClamAV detection name 'Xls.Downloader.b83ac4c497e169b5-9980307-0' further supports its role as a downloader.

Heuristics 5

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
ClamAV: Xls.Downloader.b83ac4c497e169b5-9980307-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.b83ac4c497e169b5-9980307-0
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `027e1662a91ca9e45724cd5eba018a07f94311c2655f7f5e5f4fe6e85aa3f3e8`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3119 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.