Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 0427d0a62e3992b8…

MALICIOUS

Office (OLE) / .XLS

53.0 KB Created: 2023-02-22 07:56:08 Authoring application: Microsoft Excel First seen: 2023-02-22
MD5: c4d5541c9ad7a3693c51dd78728280c7 SHA-1: dd8024ff889d08eb5e52025e5dede9607a2a4d2b SHA-256: 0427d0a62e3992b808b1c10fe7dda447c29f42fbcd6c57190c8541e608d25c4f
248 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1059.003 Windows Command Shell

The sample is an Excel spreadsheet containing VBA macros. Heuristics indicate the use of URLDownloadToFile, Shell(), and CreateObject, suggesting the macro is designed to download and execute a payload. The script attempts to reconstruct a URL using string manipulation, likely for obfuscation, and the presence of URLDownloadToFile points to a downloader functionality.

Heuristics 6

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
75d93eec6aa9032b8d12b82ad9fd8c2d175fe3d4bfd0c13aeee04e69660660ea		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2423 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.