Office (OLE) / .XLSX malware analysis — malicious · e313552470780584

MALICIOUS

Office (OLE) / .XLSX

75.0 KB Created: 2020-10-25 18:24:14 Authoring application: Microsoft Excel

MD5: 3ee1d217550d9a55c163425be47b8011 SHA-1: 1bbfcfca3f3825519f9f788e22e44729b8076ead SHA-256: e3135524707805846676cd7c532842a58e3592d4feda5f162443175e32032ec5

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 PowerShell T1059.001 PowerShell T1204.002 Malicious File

The sample contains Excel 4.0 macros that are designed to execute a PowerShell command. This command reconstructs the URL "https://cutt.ly/7gX8MWJ" to download a file named "as.exe" into the user's AppData directory. Subsequently, another PowerShell command is executed to move the downloaded file to the AppData directory and then execute it. The presence of an Auto_Open macro further indicates malicious intent.

Heuristics 4

ClamAV: Xls.Malware.Abracadabra-10031695-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Abracadabra-10031695-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `308d6973e3d54ebea146ed56c9e22d483387a9a9b4f34ed5ad04949bce3c405a`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	1259 bytes
`macros.bas` `fee65a11429dc10585813f204465c30b1b3c2131639dcde641611baba3f7538f`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	830 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.