Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 134f1431791a206b…

MALICIOUS

Office (OLE) / .XLS

399.5 KB Created: 2016-11-08 08:33:09 Authoring application: Microsoft Excel First seen: 2022-08-01
MD5: 8c43994a06c9cf04e3ee9325f915acf0 SHA-1: 47c3a271e638532e5d3a30f06a23b5eb1a09dcf7 SHA-256: 134f1431791a206b204c0421d27372f61613e2793f92bffde831d25d66d75403
228 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1059.003 Windows Command Shell T1140 Deobfuscate or Obfuscate Data

The Excel file contains VBA macros that leverage WScript.Shell and CreateObject to execute code. The macro decodes a Base64 string from the 'Final Offer' worksheet, writes it to a file named 'nvidiax.exe' in the user's public documents folder, and then executes it. This indicates a downloader or dropper functionality.

Heuristics 6

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
54ba713ab254cfd6176a4b8846c3b0962e2e7a2f34b5c1107ba20bf283bf1595		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 7094 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.