Office (OLE) / .XLS malware analysis — malicious · 077469fb698ad223

MALICIOUS

Office (OLE) / .XLS

204.5 KB Created: 2020-11-12 00:12:31

MD5: ca8ed56ffb333aaf3da8fe5768df47e5 SHA-1: 102c2d6518b0d04ec17b1a719995d61f57a92705 SHA-256: 077469fb698ad223bb0357a773f943018e4e4595947fc59319c4715bf728c011

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The Workbook_Open VBA macro contains a call to URLDownloadToFileA, which is used to download a file from the embedded URL http://sparepartiran.com/js/s0/11056.jpg. The downloaded file is saved to C:\Users\Public\Documents\bxcyannjodzkmzvjbeqresjffflcoxbuyhrzmbgwdcdn, likely to be executed as a second-stage payload. The use of Shell() and URLDownloadToFileA indicates a malicious intent to download and run external code.

Heuristics 5

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://sparepartiran.com/js/s0/11056.jpg

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `36d9ecbe90f8c8ec8354f7dfc1646f9be09e4c726d0d65f884a041599117a6d5`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3424 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.