EarthKasha — Office (OLE) / .XLS malware analysis

Static analysis result for SHA-256 e123fa2abf1a2f12…

MALICIOUS

Office (OLE) / .XLS

3.21 MB Created: 2025-03-06 03:21:37 Authoring application: Microsoft Excel
MD5: 016df9e04a1cb43d5d109dccc5144f4b SHA-1: da30cd4cfa97a12ff679ad2fc05a9c6152645ece SHA-256: e123fa2abf1a2f12af9f1828b317d486d1df63aff801d591c5e939eb06eb4cfc
248 Risk Score

Malware Insights

EarthKasha · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.002 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Xls.Phishing.EarthKasha-10045488-0. High-severity heuristics indicate the presence of VBA macros, CreateObject, and GetObject calls, along with a critical heuristic for a password-protected archive lure. This suggests the file is designed to trick users into bypassing security measures, likely to facilitate the download and execution of a secondary malicious payload. The VBA macros are obfuscated, further supporting a malicious intent.

Heuristics 7

  • ClamAV: Xls.Phishing.EarthKasha-10045488-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Phishing.EarthKasha-10045488-0
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
    URL https://support.microsoft.com/en-us/office/how-to-get-support-for-outlook-com-f5482a98-616c-4d44-b7c5-8aaaadf5c11a
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
73b2afb77688fff76566b0383fb816b7c10fb44200c411115105d589721e06b3		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 7806 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 56 Chr/ChrW string-construction calls.

Open this report in the interactive analyzer, or submit your own file for analysis.