Office (OLE) / .XLS malware analysis — malicious · 069e33991bd7de11

MALICIOUS

Office (OLE) / .XLS

228.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel@砀�龻ǐ@Ḁ遺᰻ǘ

MD5: e29bd4599eefa068da48a8d2c312b999 SHA-1: d2167313fe068469e05ae6b719b129867ef92ee0 SHA-256: 069e33991bd7de11fd8defd71166ec16592380f263c3c71cd657abfba072cb60

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The sample is an Excel file containing VBA macros. The Workbook_Activate subroutine decodes strings from cells C4 and C5, concatenates them, and passes the result to the iermRd function. This function then uses GetObject and CallByName with values from cells C7 and C8 to execute a downloaded VBScript from the URL http://64.188.19.241/dataf.vbs. The ShellExecute API reference further indicates the execution of external commands. The primary intent appears to be downloading and executing a second-stage payload.

Heuristics 5

Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
GetObject call high OLE_VBA_GETOBJ

GetObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://64.188.19.241/dataf.vbs
- http://ns.adobe.com/xap/1.0/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `6276116bf3a7b55f21b893f27e69a24233b7a06a5d377ff37c671ea308bf25ed`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1575 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.