Office (OLE) / .XLS malware analysis — malicious · d6c487b1fb3d3185

MALICIOUS

Office (OLE) / .XLS

67.0 KB Created: 2021-08-17 12:24:08 Authoring application: Microsoft Excel

MD5: 97c8a4a020e91a415d49f77293db32b2 SHA-1: 22d67ef270e69fdddd2a4a7a8986d575922fc14b SHA-256: d6c487b1fb3d31851921b343f3d131f7cb4c0469a60484037a6fa8cfbdc29dea

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file is a malicious Excel spreadsheet containing an Auto_Open macro. This macro utilizes the ScriptControl object to execute embedded VBA code, which is known to be exploitable via CVE-2015-0097. The ClamAV detection name 'Xls.Downloader.MirrorBlast' suggests the macro's purpose is to download and execute a secondary payload. The heuristic firings strongly indicate this exploit and macro execution.

Heuristics 4

MSScriptControl.ScriptControl — CVE-2015-0097 high CVE likely CVE_2015_0097_SC

MSScriptControl.ScriptControl — CVE-2015-0097
ClamAV: Xls.Downloader.MirrorBlast-f8f807074fc98734-9955046-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.MirrorBlast-f8f807074fc98734-9955046-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `c5b27ae94e08564e865ba50cddfc76a6a9e2536146851a8b85b6e38e5bc1eef3`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1202 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.