Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 f90816409b4b73f9…

MALICIOUS

Office (OLE) / .XLS

65.5 KB Created: 2021-03-29 12:44:26
MD5: aed91721d74c66aeb070e54ec6ce713b SHA-1: 320002e13e8df6fd157ef6e1c7fdb43df1a16a19 SHA-256: f90816409b4b73f91008e5b1ff0d937a0d01fc500e772b5e99432bb40d55c1fc
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059.001 PowerShell T1059.003 Windows Command Shell T1059.004 JScript/VBScript

The file contains Excel 4.0 macros and VBA macros, with heuristics indicating the use of URLDownloadToFile API. The VBA macro explicitly declares and uses the URLDownloadToFileA function, suggesting it is intended to download and execute a second-stage payload. The presence of both XLM and VBA macros points to a multi-stage infection process, common in various malware families.

Heuristics 4

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
f3a27c7623a46b3097ab88a2ef8414d1ee39e472893b9c6c640fc8c2e8e7958a		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 666 bytes
macros.bas
bf406b25716f48c9e0899d3dc5ae8517ab47693a5ed12414493d2425b67fdf34		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2877 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.