Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 11c4d7d1295a5dd6…

MALICIOUS

Office (OLE)

781.5 KB Created: 2019-08-30 09:14:50 Authoring application: Microsoft Excel
MD5: 76d4d9710105e77f11023127c4603202 SHA-1: 5c9a006de991acb9c1eaa25ccd690a5969103613 SHA-256: 11c4d7d1295a5dd6a2e75d5ca9e63d17b860d85a4b536bb3261ecc7971ef1160
402 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is a malicious Excel document containing VBA macros that leverage the Shell() function to execute a dropped PE executable. The VBA script also appears to interact with Windows Script Host and uses API calls like VirtualAlloc and LoadLibrary, suggesting it's involved in loading and running the embedded payload. The embedded PE executable is the primary payload, likely responsible for further malicious actions.

Heuristics 10

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Xls.Dropper.Agent-9578560-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-9578560-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.microsoft.com0
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
    • http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0Z
    • http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
ca403287992415749217c293d578b631737efe7852f4da931408321cd8aa886b		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 14443 bytes
embedded_office_000044f1.exe
a84ff37735ffb85c4f99565464993c84fa30cee9dd9d9199323bb2c7fbb65de2		 embedded-pe Office MZ+PE at offset 0x44F1 782607 bytes
Detection
ClamAV: Win.Dropper.Hideproc-6663113-0
Obfuscation or payload: unlikely
ole10native_00.bin
034b5a642331a9cc0978052da20d38c9c73c3ad164cf038ed77f3348c51346f1		 ole-package OLE Ole10Native stream: MBD00674512/Ole10Native 620061 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.