Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 0453792455a3c0d0…

MALICIOUS

Office (OLE) / .XLS

54.0 KB Created: 2022-11-08 07:25:35 Authoring application: Microsoft Excel First seen: 2022-11-08
MD5: f56b4b9044fedd0fea2f7fff8ab744b3 SHA-1: 796f4e2bb678b71e48f5a5bbc23f6823eefb9c13 SHA-256: 0453792455a3c0d00bb83fd29df71af26b1bd76ae4851be980d412a8ea802b9b
228 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The sample is an XLS file containing VBA macros that utilize WScript.Shell and CreateObject to download and execute a payload. The script constructs a URL using obfuscated strings and makes an HTTP request to fetch the payload. The use of WScript.Shell and Shell() calls indicates an attempt to run external commands or download additional malicious content.

Heuristics 6

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c1ff1a2d1054fe1a8a113d6651c29552579fbbc7bd21d2b7c911c234757d5943		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3839 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.