Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 f7d776c29bb69a2f…

MALICIOUS

Office (OLE) / .XLS

129.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel
MD5: c8e3411fe425387dff6e1bc4f9990e41 SHA-1: b4f7dcfd83745542f548911882302b5ab5ba723a SHA-256: f7d776c29bb69a2fcfd4db75c3c076177bd863f62530198f14adb41f78a72136
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file contains VBA macros, including Auto_Open and Auto_Close, which are commonly used to initiate malicious actions upon opening or closing the document. A critical heuristic firing indicates the use of URLDownloadToFile API, suggesting the macro attempts to download a payload from one of the embedded URLs. The ClamAV detection as 'Doc.Downloader' further supports this. No document body text was available for analysis, but the presence of macros and download functionality points to a downloader malware.

Heuristics 7

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • ClamAV: Doc.Downloader.Docusign112100-9908075-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Docusign112100-9908075-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://101.99.90.18/
    • http://194.36.191.19/
    • http://45.144.29.109/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
1d960f6caac53d8c2251599c53022cfdbc7f6e2862dcf129a8d44776b9a41f22		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 5309 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.