Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 0d27cc7d56ff4139…

MALICIOUS

Office (OLE) / .XLS

409.0 KB Created: 2016-11-08 08:33:09 Authoring application: Microsoft Excel First seen: 2022-08-01
MD5: 6d6492f0d1ca8de395e2be1bc53f70b4 SHA-1: f3e198d1c3ef88dce60cae2e7307736bb2f684e0 SHA-256: 0d27cc7d56ff41391c8be23c139f44d7c2f56f394c3cd3e78b27cd1ea1427c0f
228 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1140 Deobfuscate/Decode Files or Information T1036.005 Match Legitimate Name or Location

The VBA script utilizes WScript.Shell and CreateObject to decode Base64 content embedded within the spreadsheet and save it as 'nvidiax.exe' in the user's temporary directory. This indicates a downloader or droppper functionality, aiming to execute a secondary payload. The document body contains what appears to be a form for submitting personal information, potentially as a lure.

Heuristics 6

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
54ba713ab254cfd6176a4b8846c3b0962e2e7a2f34b5c1107ba20bf283bf1595		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 7094 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.