Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 06d5e005a6b82b8b…

MALICIOUS

Office (OLE) / .XLSX

35.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel
MD5: ac38560bb7741fd750ffaa83c397f8cc SHA-1: 217aa8b5834222877196d2eef83f93983c2a37c8 SHA-256: 06d5e005a6b82b8b04af686c2d24f14d36a7a842eb0b38940bcf3453d1222ad4
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1204.002 Malicious File

The VBA macro in the Excel file contains obfuscated code that, when triggered, constructs and executes a PowerShell command. This command is designed to download a file named 'AcrobotDC.exe' from the IP address '191.20.227.158' and then execute it. The use of GetObject and ShellExecute APIs further indicates malicious intent to launch external processes.

Heuristics 4

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7872292a02364e3331956929f00f9eeb62acbcd94511713455e2b94bb292c33d		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1389 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.