Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 d9ada325c4630afa…

MALICIOUS

Office (OLE) / .XLS

88.0 KB Created: 2020-10-25 18:24:14 Authoring application: Microsoft Excel
MD5: cef704a228ef79da2b67f2bd6d1691fb SHA-1: 05718aa6b688825f3549e5e9bf0a54f884c04fad SHA-256: d9ada325c4630afa2d3b0f8e3d7101651bd58e21b419705f07bacf42215a6657
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an Excel 4.0 macro sheet that contains an Auto_Open macro. This macro executes a PowerShell command to download a file named 'zn.exe' from 'https://tinyurl.com/yyemcu45' and save it to the user's AppData directory. The macro also attempts to execute this downloaded file. The XLM macro explicitly constructs the PowerShell command, including the URL and the destination filename.

Heuristics 4

  • ClamAV: Xls.Malware.Abracadabra-10031695-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Abracadabra-10031695-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
f0aca4b06f6c6491f87facaa4b2a4877379ceb6ee044cee2f82e86d1f7c45a66		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 1726 bytes
macros.bas
953bf125fb95a97d67f1dfae6bad54545952dd76d888d2a1cbcc94e4187e5630		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1065 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.