Office (OLE) / .XLS malware analysis — malicious · d4bb580b6bcbe67b

MALICIOUS

Office (OLE) / .XLS

133.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel

MD5: 0f05113640674566c175e9ce933cf425 SHA-1: 4a6c5b31c4181c55e44089273eb6426c47509b10 SHA-256: d4bb580b6bcbe67b209827dcb3938f5a87655c501a0ebc3596a05ee0815b548d

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.002 Spearphishing Attachment

The file is a macro-enabled Excel spreadsheet containing VBA macros. The presence of Auto_Open and Auto_Close macros indicates an attempt to automatically execute code upon opening or closing the document. The VBA code appears to be designed to run a macro from a sheet named 'Niola', which likely initiates the download of a secondary payload from one of the embedded URLs. The ClamAV detection 'Doc.Downloader.Docusign112100-9908075-0' further supports its role as a downloader.

Heuristics 5

ClamAV: Doc.Downloader.Docusign112100-9908075-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Docusign112100-9908075-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://5.196.247.6/�
- http://94.140.112.149/
- http://84.246.85.196//

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `57dbf314ba8d8e0cd5ae01430a1b3452bf5356fd0c3f739414504ecdf5e48acc`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3568 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.