Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 139f01ab8e3dd756…

MALICIOUS

Office (OLE) / .XLS

479.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-05-05
MD5: 2d3f9dc123e8b614432d83b782c6aee3 SHA-1: 1f6f602ea2f65d20b50a567fdb836bebb96deef5 SHA-256: 139f01ab8e3dd756558be9462ba2cb41f5c4f5753872aaf7b7108bf489c1ee89
128 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The critical heuristic 'OLE_VBA_CELL_GETOBJECT_EXEC' indicates that the VBA macros instantiate and execute content from worksheet cells. This is a common technique for executing arbitrary code, often used to download and run a second-stage payload. The presence of VBA macros and the GetObject call further support this. No specific IOCs were extracted, and the family remains unknown due to the lack of specific indicators.

Heuristics 4

  • VBA instantiates/executes content from worksheet cells critical OLE_VBA_CELL_GETOBJECT_EXEC
    VBA passes a worksheet cell/comment reference to GetObject and drives an Exec/Open/Run sink. Malware hides the COM moniker and command in cell data so the macro source carries no literal indicators.
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
aac0e1d7863327fd450ceab64c65cf7d222ea5e005e1a7c87cf54e91d01dd86e		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3434 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.