Office (OLE) / .XLS malware analysis — malicious · 07a0d67fc961bf41

MALICIOUS

Office (OLE) / .XLS

63.0 KB Created: 2022-01-26 10:26:05

MD5: fd497df5fa4613a0e671bb346d3a4357 SHA-1: b3ca60457dfea479858049af3d4e59db441a3ac0 SHA-256: 07a0d67fc961bf41ec3b272876301d67391306cdd5b03b6207b90f2f3f6328f4

288 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

The VBA macro contains references to URLDownloadToFile, LoadLibrary, GetProcAddress, and CreateProcess APIs, indicating its intent to download and execute a secondary payload. The reconstructed URL 'http://10.0.1.150:8000/TE MP' is the likely source of this payload. The use of these APIs strongly suggests a downloader or droppper functionality.

Heuristics 8

Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `d22339466d0726b1999943667b2bd707f47d5009600021f3e4bc664b4d4df87b`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6067 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.