Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 053b1db6f8456d02…

MALICIOUS

Office (OLE) / .XLS

34.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-03-01
MD5: 6c91c18406edcdf43b99259c75e97e98 SHA-1: b955548fdbe22c84e147058adc286cb03e221d2c SHA-256: 053b1db6f8456d02ae045f74602aa44eb5254da326a07c3e6ba604bbbd683739
208 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1140 Deobfuscate or Obfuscate

The VBA macro code within the Excel file leverages `GetObject` and `InvokeVerb 'Paste'` to extract and execute a JavaScript file named 'IFYIV.js'. The script is designed to wait for a file named 'IFYIV.txt' to appear, rename it to 'IFYIV.js', and then execute it. This indicates a multi-stage attack where the Excel file acts as a dropper for a JavaScript payload, likely to download and execute a second-stage payload.

Heuristics 6

  • VBA instantiates/executes content from worksheet cells critical OLE_VBA_CELL_GETOBJECT_EXEC
    VBA passes a worksheet cell/comment reference to GetObject and drives an Exec/Open/Run sink. Malware hides the COM moniker and command in cell data so the macro source carries no literal indicators.
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
6f7ae430d00998939a94f99db56630b304b5e6a2a64f4044b90bccf23be1ee2e		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1269 bytes
ole10native_00.bin
e8f60458faaa8faa45744c9e520fbf56ba0ea2f7fff3b470a780a1bb039bcbad		 ole-package OLE Ole10Native stream: MBD002D4D3E/Ole10Native 1092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.