Office (OLE) / .XLS malware analysis — malicious · 0a8155b09d0ada2a

MALICIOUS

Office (OLE) / .XLS

837.0 KB Created: 2021-05-19 14:22:57 Authoring application: Microsoft Excel

MD5: 5fa5d1b9b9f258e3a3c43e1b0a2f8962 SHA-1: b766548f7bc842a51d8e081cbf4c1a3d9c344038 SHA-256: 0a8155b09d0ada2a991a1974c8401990ee77806b58c87708818367667edb3a54

310 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains a Workbook_Open VBA macro that is obfuscated and uses CreateObject to execute commands. This macro is designed to download and save a file from one of the embedded URLs, likely to execute a second-stage payload. The presence of multiple suspicious URLs and the critical heuristic firings for downloading and executing files indicate a downloader or droppper functionality.

Heuristics 9

VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://staging.filterfresh.co.nz/OrZdR6KsWwk4tcT.php
- https://clinicasaludmasculina.com/phone/css/AvGj1IrWszA5cUW.php
- https://camilajauja.com/wp-content/endurance-page-cache/demo/profile/register/B54wA0tL7f.php
- https://staging.filterfresh.co.nz/OrZdR6KsWwk4tcT.php\
- https://sindoleymorais.com.br/IzMprnWaa.phpv1!ZIL^SZ
- https://contrastemodafemenina.com/wp-content/plugins/redux-framework/sample/patterns/UXNpZQQ6G.php0@0+j8m/y
- https://redorchid.rosencolombo.com/modules/requisitions/lang/new_language_template/LC_MESSAGES/YHhhJrBHTMfc0o.phpSDq;LRUA:^�
- https://fate.sa/2EWZ1gzKbk.phpMVLmX@MVLmX@MVLmX@MVLmX@MVLmX@�
- https://supereclinica.com.br/gestor/ckfinder/plugins/fileeditor/codemirror/Mad1mAVF6Vla1IY.phpC
- https://bonsventosnautica.com.br/xhpxAHxeWeE6lH3.php�
- https://saurustechnology.com/badminton/admin1/images/shared/nav/nvyi8wxxcv7.php);e8Nz+y);e8Nz+y);e8Nz+y
- https://supereclinica.com.br/gestor/ckfinder/plugins/fileeditor/codemirror/Mad1mAVF6Vla1IY.phpC^3.8Z3|
- https://redorchid.rosencolombo.com/modules/requisitions/lang/new_language_template/LC_MESSAGES/YHhhJrBHTMfc0o.phpSDq;LRUA:^
- https://fate.sa/2EWZ1gzKbk.phpMVLmX@MVLmX@MVLmX@MVLmX@MVLmX@
- https://bonsventosnautica.com.br/xhpxAHxeWeE6lH3.php

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `bfa491aa497216139f9af2a722f9dadcc70297cb5727256aed148d3dd21c0fde`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	131724 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.