Office (OLE) / .XLS malware analysis — malicious · d4d1d876fa7ce9b8

MALICIOUS

Office (OLE) / .XLS

774.5 KB Created: 2019-08-30 09:14:50 Authoring application: Microsoft Excel

MD5: 1a886ab31b39696a5e29721d846c58bb SHA-1: 3d24c71d7fd6d8f81179cbb527cc922e48bbd266 SHA-256: d4d1d876fa7ce9b81f4968e934d81e6e057010c0c8d0f73f958e0c81cb0a8ca9

420 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File T1105 Ingress Tool Transfer T1027 Obfuscated Files or Information T1129 Execution through API

The sample is an Excel file with a high-confidence verdict of malicious. It contains embedded VBA macros and an executable file. The heuristics indicate the use of Shell() calls and Windows Script Host, suggesting the macros are used to execute the embedded PE file or download additional payloads. The presence of VirtualAlloc, LoadLibrary, and GetProcAddress APIs further supports the execution of external code. The embedded executable was also flagged as malicious by ClamAV.

Heuristics 11

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
ClamAV: Xls.Dropper.Agent-7630844-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-7630844-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.microsoft.com0
- http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
- http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
- http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0Z
- http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
- http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
- http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `cecc55eda2b5152d16811fb9f7d84d2c2ae99b71968c238082e33eb9a621837e`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	665 bytes
`macros.bas` `b4a3b0c4d1d8d12b7662a6bc6c782e1e01996302bb153971c194562906b918e6`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	14356 bytes
`embedded_office_00004541.exe` `9c88945391e7664ccb59bc86de2b43d9bfe61be039abb51685e1d6c4b0b43a10`	embedded-pe	Office MZ+PE at offset 0x4541	775359 bytes
Detection ClamAV: Win.Dropper.Hideproc-6663113-0 Obfuscation or payload: unlikely
`ole10native_00.bin` `97302016e0ec380e50015b7d8d846fb3ed5d0d354e4ab8437c82ea4b77695faa`	ole-package	OLE Ole10Native stream: MBD0004C53B/Ole10Native	612621 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.