Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 0755a10bbe45ec01…

MALICIOUS

Office (OLE) / .XLSX

114.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-09-27
MD5: 42d05295b18da2d31022f2085f62c1c7 SHA-1: 0e9a4618e0fc737f52300d27f33af614bfbeb7bf SHA-256: 0755a10bbe45ec010a16f32e842c65be350eed0eb4b0e7cb1e2794986a34abb4
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The critical OLE_VBA_SHELL heuristic indicates a Shell() call within the VBA macros. The Workbook_BeforeClose subroutine constructs a string 'Shor' by concatenating various string properties from different objects, and then calls Shell(Shor). This strongly suggests the macro is designed to execute an arbitrary command, likely to download and execute a secondary payload. The SC_STR_POWERSHELL heuristic further supports the possibility of PowerShell being involved in the execution chain.

Heuristics 4

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
89b29478f3e21decbd1a0892e5392c7619ed07674b2af43502d6388141ab16e0		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 4587 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.