Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1191d5c1dd7f6ac3…

MALICIOUS

Office (OLE)

43.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2020-09-07
MD5: 1c878cb4faf331684f0ae78041649413 SHA-1: 56c684191ac99d40409bcef19cf9dd792c6901ce SHA-256: 1191d5c1dd7f6ac38b8d72bee37415b3ff1c28a8f907971443ac3a36906e8bf5
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1218.011 Signed Binary Proxy Execution: Rundll32

The document contains a lure instructing the user to enable macros, a common tactic for malware droppers. Embedded scripts indicate the use of PowerShell and WScript to download and execute a second-stage payload from the URL 'the embedded link'. The script also attempts to rename the downloaded file to a .bat.txt extension and execute it.

Heuristics 3

  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings