Xls.Downloader.d795e45a60a593c6-9978800-0 Office (OLE) / .XLS malware analysis — malicious · e332ffd69d545f80

MALICIOUS

Office (OLE) / .XLS

51.0 KB Created: 2022-11-03 08:29:55 Authoring application: Microsoft Excel First seen: 2022-11-03

MD5: 57d9b9038c7c970c347a65f112d9e9ae SHA-1: 644d2189f516112ea4f48c186e7518d8faf8fdf6 SHA-256: e332ffd69d545f80250b02dfab8c31e37b3c8c57b728202fbadb8c09588691fa

188 Risk Score

Malware Insights

Xls.Downloader.d795e45a60a593c6-9978800-0 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1105 Ingress Tool Transfer

The file is an Excel spreadsheet containing VBA macros. Heuristics indicate the presence of Shell() and CreateObject() calls, commonly used for executing commands and downloading payloads. The ClamAV detection name further supports its classification as a downloader. The script attempts to download and execute a second-stage payload, as evidenced by the use of CreateObject to instantiate an object for network requests and the Shell() function to execute downloaded content.

Heuristics 5

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
ClamAV: Xls.Downloader.d795e45a60a593c6-9978800-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.d795e45a60a593c6-9978800-0
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `07974c00dae2f996a4ad6177b3e15b54a06b324d19449a22ec13f806636396b2`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3443 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.