Office (OLE) / .XLSX malware analysis — malicious · f66f9f0e293e622b

MALICIOUS

Office (OLE) / .XLSX

64.5 KB Created: 2021-08-17 12:24:08 Authoring application: Microsoft Excel

MD5: 847450c0ed9954c2e9bdc5cd457d444c SHA-1: cef226d614868e6a2fd9528d29a010a551fe5061 SHA-256: f66f9f0e293e622b046ab473cf99d071a377418fd69bf1685c8d23c371f517cc

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.002 Spearphishing Attachment

The file is an Excel spreadsheet containing a VBA macro that is automatically executed upon opening (Auto_Open). This macro utilizes a ScriptControl object to execute code embedded within the document's 'Subject' and 'Comments' properties. The ClamAV detection name 'Xls.Downloader.MirrorBlast-f8f807074fc98734-9955046-0' strongly suggests that this macro is designed to download and execute a second-stage payload. The specific content of the embedded script is too generic to determine the exact payload, but the overall mechanism points to a downloader.

Heuristics 3

ClamAV: Xls.Downloader.MirrorBlast-f8f807074fc98734-9955046-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.MirrorBlast-f8f807074fc98734-9955046-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `0278d22c57457c6ea65486c5e13f4b06bae683e9ef9fa360c905d1932da96848`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	862 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.