Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 f15d81061f758dbc…

MALICIOUS

Office (OLE) / .XLS

134.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel
MD5: ffd5276b620edc1110b4d2be2af86434 SHA-1: 0340b89b5b78bbe0ea53c5a6ac6110737dc00249 SHA-256: f15d81061f758dbcd06aeff487b4c184c1fa60fe747dc25eda9a0481170d3ed2
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file is a macro-enabled Excel spreadsheet containing Auto_Open and Auto_Close macros, indicating malicious intent. The ClamAV detection name 'Doc.Downloader.Docusign112100-9908075-0' suggests it functions as a downloader. The embedded VBA macros, though truncated, likely contain logic to execute downloaded payloads. The presence of multiple unknown-reputation URLs points to the distribution infrastructure for the second-stage malware.

Heuristics 5

  • ClamAV: Doc.Downloader.Docusign112100-9908075-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Docusign112100-9908075-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://190.14.37.220/
    • http://23.106.125.233/
    • http://178.23.190.199/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7c028873d3a367a7a78d94c4c513a8dd82367b9c300e1f220f0b30deb2be71cc		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 4965 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.