Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 119dc0a2a5e296e3…

MALICIOUS

Office (OLE) / .XLSX

4.76 MB Created: 2006-11-08 15:21:05 Authoring application: Microsoft Excel First seen: 2023-01-30
MD5: 71aad7afcb7206ca80d602c959e6ae74 SHA-1: 286f0d230c4b495bfd1db35b70ce5cb7d8ce9619 SHA-256: 119dc0a2a5e296e3a5e49a73b884a20b28670ade9695551f9a08cfada50c6d06
622 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter T1105 Ingress Tool Transfer

The sample contains critical VBA heuristics indicating the use of Shell() and WScript.Shell, along with an obfuscated auto-exec loader that leverages ActiveX events to launch decoded Excel4 macros. The VBA script explicitly uses ShellExecute to run external content, and embedded URLs suggest a download mechanism for a second-stage payload. The presence of multiple 'share.txt' and 'method.txt' URLs points to a potential information gathering or staging process.

Heuristics 15

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER
    VBA code attached to an auto-firing ActiveX/UserForm control event (e.g. _Layout/_Change/_Painted) decodes a string with Replace/Split/Join/StrReverse/Chr and passes the recovered formula text to ExecuteExcel4Macro. This bridges VBA event activation into XLM formula execution to call Win32 APIs / drop payloads while evading AutoOpen and Shell keyword detection — a high-confidence macro stager, not a specific Office parser CVE.
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • x86 GetPC stub (CALL $+5; POP EBP) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EBP)
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://srcedit.pekori.jp/tool/share_e.txt
    • http://srcedit.pekori.jp/tool/share.txt
    • http://srcedit.pekori.jp/tool/method_e.txt
    • http://srcedit.pekori.jp/tool/method.txt
    • http://srcedit.pekori.jp/
    • http://news.yahoo.co.jp/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
47f261ecc2c417733c39838441aaf2c991f32622088f841c0dc3272aa12a8853		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 8388608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.