Office (OLE) / .XLS malware analysis — malicious · f2e259102c28101c

MALICIOUS

Office (OLE) / .XLS

850.5 KB Created: 2019-08-30 09:14:50 Authoring application: Microsoft Excel

MD5: 40478ee98dbed57b543b185fefe040e0 SHA-1: 5765a2a78534ea53420595f4c21b6208de06cf52 SHA-256: f2e259102c28101cef3b81328d249f94183cce528fd21ceaed650e154ce9acb7

400 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.003 Windows Command Shell T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is a malicious Excel file (XLS) detected by ClamAV as Win.Dropper.Hideproc-6663113-0. It contains VBA macros that utilize Shell(), VirtualAlloc, LoadLibrary, and GetProcAddress APIs, indicating an attempt to execute code. Crucially, it embeds a PE executable, which is likely the second-stage payload. The presence of these elements strongly suggests a dropper or downloader functionality.

Heuristics 10

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
ClamAV: Win.Dropper.Hideproc-6663113-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Dropper.Hideproc-6663113-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.microsoft.com0
- http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
- http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
- http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0Z
- http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
- http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
- http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `aafcaaf90595ab36360aa7ebea1d205f695ebaa4733d161e0344dd0c919faf50`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	14318 bytes
`embedded_office_000044f1.exe` `5bb3938bf99f004a415c5904cefc2dc8d7ba81fc1ab007db7ce01302f0abf819`	embedded-pe	Office MZ+PE at offset 0x44F1	853263 bytes
Detection ClamAV: Win.Dropper.Hideproc-6663113-0 Obfuscation or payload: unlikely
`ole10native_00.bin` `c64dcafa616038fea032c518953dfc75dfdce8774d27a2c205eadd410e71075a`	ole-package	OLE Ole10Native stream: MBD0001C810/Ole10Native	611869 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.