Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 0ef76ce10558c86b…

MALICIOUS

Office (OLE) / .XLS

79.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-08-18
MD5: e12d4ea1d922a7bf268e0133163a92f6 SHA-1: b02e8013f9695756d9fab1a5b677bbb39b3e48d7 SHA-256: 0ef76ce10558c86b6d359cd9da83a8fe3ba2dc2f36267447f4e191aaa4aa3125
128 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is an Excel file containing VBA macros. The critical heuristic 'OLE_VBA_CELL_GETOBJECT_EXEC' indicates that the macros instantiate and execute content from worksheet cells. The 'SE_INVOICE_LURE' heuristic suggests a fake invoice theme. The VBA script constructs a batch file named 'Urhjg.bat' in the user's profile directory and writes obfuscated commands to it, likely to download and execute a second-stage payload.

Heuristics 4

  • VBA instantiates/executes content from worksheet cells critical OLE_VBA_CELL_GETOBJECT_EXEC
    VBA passes a worksheet cell/comment reference to GetObject and drives an Exec/Open/Run sink. Malware hides the COM moniker and command in cell data so the macro source carries no literal indicators.
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b40f98f27d44d05bf90bb0a795cfc65076447c73ffb74ad6c27f27941233e0c1		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1894 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.