Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 e331f9c19372cfd4…

MALICIOUS

Office (OLE) / .XLS

27.0 KB Created: 2020-09-20 21:17:44
MD5: 3acbe5e1d7a0dceb1125d987988765ea SHA-1: 7fafd588ff8b2e8fda79eab3a9460fa3c01bd6d8 SHA-256: e331f9c19372cfd42c85f2bbf26f58e9800c2f14504aed43825c7da3ef913d7a
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 PowerShell T1059.001 PowerShell T1204.002 Malicious File

The Excel 4.0 macro sheet contains an Auto_Open macro that executes a PowerShell command. This command downloads a file named 'pd.bat' from the URL https://cutt.ly/3js2g8s and saves it to the temporary directory. The macro then proceeds to make the file hidden and system, execute it, and finally remove it. The use of Excel 4.0 macros and the download/execution chain are indicative of a downloader malware.

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
be0b4e22bd17f39a986b86889dea41be9808bc18be534cb86dc5b95e1117496d		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 1484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.