Office (OLE) malware analysis — malicious · 10e3ec9ce7980e53

MALICIOUS

Office (OLE)

383.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 0463d0b7d9dbef1838839fc07cbb7709 SHA-1: 7ea5d1908180023e6b934bab5af13c9bb594f471 SHA-256: 10e3ec9ce7980e534901f62a9958a26ec969189ace4bca2afb348b743503583b

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The sample contains VBA macros that leverage `CreateObject("scripting.filesystemobject")` and `CreateObject("wscript.shell")` to execute commands. Specifically, it attempts to extract `c:\cab.cab` using `extrac32` and `extract`, then copies `c:\normal.dot` and `c:\internet.exe` to system directories. This indicates a downloader or dropper functionality, aiming to establish persistence and execute further malicious code.

Heuristics 5

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `071361a99a1431d40e0c3041987210a7a2134c5eb423dbe3dcb87fe5192b4347`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2808 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.