Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 024512629393c80c…

MALICIOUS

Office (OLE) / .XLS

452.0 KB Created: 2020-10-05 12:17:15
MD5: 0b89a4cde1ee6651a4fb8e325cb921af SHA-1: dc155c2c4eb579777af8e07d3e56fac45af03d83 SHA-256: 024512629393c80c1434eb25694c9f1e65d813cd3c273c6d97572ec62d8ad655
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1140 Deobfuscate/Decode Files or Information T1204.002 Malicious File

The Workbook_Open macro contains an obfuscated VBA loader that decodes a Base64 string. This decoded string is a PowerShell command that downloads a second-stage executable from 'http://192.236.178.80/7z/0617773.jpg' and saves it as 'C:\Users\Public\whpfwkrl.exe', then executes it. The use of CreateObject and obfuscated auto-exec loaders is characteristic of macro-based malware.

Heuristics 4

  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
15626bf52d112c8effa2bc1135c420b60f4a27b9b021bccd72ada96ea1f93f15		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1259 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.