Office (OLE) / .XLS malware analysis — malicious · ee11974d71394ce1

MALICIOUS

Office (OLE) / .XLS

133.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2021-10-11

MD5: 4e56232d651d25d9d6ddc48aea6ef2d3 SHA-1: b011a23112a64d0c2a0668c4eff78aeaa325c80a SHA-256: ee11974d71394ce13b32610042ad432a589d395fd1d33d31539c930e8ddce3ff

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The presence of Auto_Open and Auto_Close macros, along with a critical heuristic firing for URLDownloadToFile, indicates that this Excel file is designed to download and execute a secondary payload. The VBA script itself appears to be primarily for UI manipulation within Excel, but the underlying macro functionality is malicious. The embedded URLs are the most likely sources for the second-stage payload.

Heuristics 6

Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
ClamAV: Doc.Downloader.Docusign112100-9908075-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Docusign112100-9908075-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://190.14.37.107/
- http://94.140.114.111/
- http://188.165.62.50/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `541bbf3f48f1b6b9352193868b1eb5b24144876194b7b7b4286dd723c387496c`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4961 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.