Xls.Downloader.b83ac4c497e169b5-9980307-0 Office (OLE) / .XLS malware analysis — malicious · e18575f43d942398

MALICIOUS

Office (OLE) / .XLS

74.0 KB Created: 2022-11-29 07:16:03 First seen: 2022-12-02

MD5: 0c4fadbe9ab5a757d70b9333786d74b1 SHA-1: 7ffb53a1317e32df13d844e791bc1138e6722455 SHA-256: e18575f43d94239872aa627df89c4b2ebd117c77b3a09f67b7061e9f0bc289fd

188 Risk Score

Malware Insights

Xls.Downloader.b83ac4c497e169b5-9980307-0 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

The file is an XLS document containing VBA macros. The macros utilize CreateObject to instantiate MSXML2.XMLHTTP and the Shell() function, indicating an intent to download and execute a second-stage payload from a remote source. The ClamAV detection name further supports its classification as a downloader.

Heuristics 5

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
ClamAV: Xls.Downloader.b83ac4c497e169b5-9980307-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.b83ac4c497e169b5-9980307-0
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `7aa807d266e0fbfc057565ac72ebadfaaae7c974f83a8f70f0e053cfba7655ac`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5075 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.