Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 12f56fe096abc00e…

MALICIOUS

Office (OLE)

2.62 MB Created: 2004-03-29 22:32:10 Authoring application: Microsoft Excel
MD5: b38768e423da7ee89072de27ed336b70 SHA-1: 8a914a72fe08660e3a8233a7f6ad112da6699504 SHA-256: 12f56fe096abc00e5acbcd75ba4d8abb7099f6f5f216f443471141d3b8d94b56
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file is an Excel document containing VBA macros, indicated by the OLE_VBA_MACROS heuristic. The SE_INVOICE_LURE heuristic suggests a fake invoice or payment lure. The CreateObject heuristic indicates the potential for dynamic execution. The VBA code itself, while truncated, contains elements that suggest it interacts with the file system and potentially executes commands, possibly involving PowerShell, to download and run a secondary payload. No specific URLs or executable IOCs were directly extracted from the provided evidence.

Heuristics 4

  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/sharepoint/v3/contenttype/forms
    • http://schemas.openxmlformats.org/officeDocument/2006/customXml
    • http://schemas.microsoft.com/office/2006/metadata/contentType
    • http://schemas.microsoft.com/office/2006/metadata/properties/metaAttributes
    • http://schemas.microsoft.com/office/2006/metadata/properties
    • http://www.w3.org/2001/XMLSchema
    • http://schemas.openxmlformats.org/package/2006/metadata/core-properties
    • http://www.w3.org/2001/XMLSchema-instance
    • http://purl.org/dc/elements/1.1/
    • http://purl.org/dc/terms/
    • http://schemas.microsoft.com/office/internal/2005/internalDocumentation
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsd
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsd

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
e5ce6696a37ffd7eac8b020db8d94de8473020caefae208e4ceced2d288b248c		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 88067 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.