Xls.Downloader.b83ac4c497e169b5-9980307-0 Office (OLE) / .XLS malware analysis — malicious · eb84a283ff589067

MALICIOUS

Office (OLE) / .XLS

52.0 KB Created: 2022-10-06 08:24:44 First seen: 2022-10-06

MD5: d3032968085db665381d9cbd3569f330 SHA-1: 9230520c6dd215e2152bb2e56b2a5d6b45ae8e13 SHA-256: eb84a283ff58906786d63ffe43a8ff2728584428f5f7d9972c664f63f8790113

188 Risk Score

Malware Insights

Xls.Downloader.b83ac4c497e169b5-9980307-0 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1105 Ingress Tool Transfer

The critical heuristic OLE_VBA_SHELL indicates the presence of a Shell() call within the VBA macros, and OLE_VBA_CREATEOBJ suggests the creation of objects for execution. The VBA script attempts to download a payload from the hardcoded URL '3uAr7l;hLt21tKOp3s0:/12Q/Ss7Nim3SipiOO8mi.20cDOoVm5' using a QueryTable object. This strongly suggests the file acts as a downloader for further malicious activity.

Heuristics 5

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
ClamAV: Xls.Downloader.b83ac4c497e169b5-9980307-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.b83ac4c497e169b5-9980307-0
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `923e80110eaaf8988488643d1b3137e7f8ec4522c327f1e2aee8f922c07d8719`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3400 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.