Office (OLE) / .XLS malware analysis — malicious · dfaedaa006361064

MALICIOUS

Office (OLE) / .XLS

733.5 KB Created: 2019-08-30 09:14:50 Authoring application: Microsoft Excel

MD5: 526219eb4e3ab1dd72d4baa517601798 SHA-1: a862e1639e69015f1b1d2b6802ccb0f117090db4 SHA-256: dfaedaa0063610648308e138d1f970068875ec5afe9f37e2f41748555d82bf97

400 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer T1059 Command and Scripting Interpreter

The sample is a malicious Excel file identified by ClamAV as Win.Dropper.Hideproc-6663113-0. It contains VBA macros that leverage the Shell() function, indicating an intent to execute external code. Furthermore, a PE executable is embedded within the document, and heuristics suggest the use of Windows Script Host and dynamic API loading (VirtualAlloc, LoadLibrary, GetProcAddress), typical of droppers designed to download and execute second-stage payloads. The embedded URL 'http://www.microsoft.com0' is suspicious and likely used for payload delivery.

Heuristics 10

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
ClamAV: Win.Dropper.Hideproc-6663113-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Dropper.Hideproc-6663113-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.microsoft.com0
- http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
- http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
- http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0Z
- http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
- http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
- http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `aafcaaf90595ab36360aa7ebea1d205f695ebaa4733d161e0344dd0c919faf50`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	14318 bytes
`embedded_office_000044f1.exe` `6e0a0b5bf504c2040eb585ba27b179f6a43747bedf95daa855d6786e9f0407d1`	embedded-pe	Office MZ+PE at offset 0x44F1	733455 bytes
Detection ClamAV: Win.Dropper.Hideproc-6663113-0 Obfuscation or payload: unlikely
`ole10native_00.bin` `c64dcafa616038fea032c518953dfc75dfdce8774d27a2c205eadd410e71075a`	ole-package	OLE Ole10Native stream: MBD0001C810/Ole10Native	611869 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.