Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 fd6860ad5b638b75…

MALICIOUS

Office (OLE) / .XLS

401.0 KB Created: 2020-11-20 17:59:00 Authoring application: Microsoft Excel
MD5: 5fdf58407600b86efd6de1bf2c9c8fc9 SHA-1: bfba1d4e550891d2daaaa08c20896b2566e2cfc0 SHA-256: fd6860ad5b638b75f98632efb9b88ea2e6dc17ee5647818d8981573492cbfb1e
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The critical ClamAV detection and the presence of both XLM and VBA macros indicate malicious intent. The XLM macro constructs a PowerShell command to download a file named 'ii.exe' from 'https://cutt.ly/yhRo48u' and save it to the user's appdata directory. The VBA macro then calls this XLM macro, initiating the download and execution of the second-stage payload.

Heuristics 4

  • ClamAV: Xls.Malware.Abracadabra-10031695-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Abracadabra-10031695-0
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
97611c8d22a7f474bc5dd6124f42c8a23cda5029e6ec90664e658957291a90bb		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 1784 bytes
macros.bas
cd570610748f1d9f3b3da8aecc12295e1dff4beebd51624b3e1fafca26bf9c59		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.