Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 114a7c5e2115db85…

MALICIOUS

Office (OLE) / .XLS

106.0 KB Created: 2022-09-30 06:00:17 Authoring application: Microsoft Excel First seen: 2022-09-30
MD5: 97d89c32a8f614c0c9ef00cd0a68e19b SHA-1: d0eb1a50d9b682882f57851c2623548e22ff3e3a SHA-256: 114a7c5e2115db8565dee6632ed5b711b2c0124e05fb3e5ac258ac38c0e78728
340 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1105 Ingress Tool Transfer T1218.011 System Binary Proxy Execution: Rundll32

The sample is a macro-enabled Excel file that automatically executes VBA code upon opening. The VBA script contains obfuscated strings and references to `certutil`, indicating an attempt to download and decode a payload. It also uses `CreateObject` and reassembles the string 'WScript.Shell', suggesting execution of commands or scripts. The reconstructed URL 'http://sptth://mer/moc.nrutqet//:exe.BFuytwByu6cXshL' is likely the source of the second-stage payload.

Heuristics 8

  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • Reference to certutil (download/decode) high SC_STR_CERTUTIL
    Reference to certutil (download/decode)
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c51c0cfadd66387d48d7aaf5d6a9de480796b46b7cece38de4ef3577c1f541ae		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 7168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.