Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 1c9d963f1aafaad9…

MALICIOUS

Office (OLE) / .XLS

229.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-08-25
MD5: 0eb60354f0401f2a56f5f3a8e15d6147 SHA-1: 58271ee15c52baba9018c8a7fcfbb762574cfe22 SHA-256: 1c9d963f1aafaad9d6ee7c092c6bd77bda5d1590c125238cb0671fcf176d078a
128 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is an Excel file containing VBA macros that, when enabled, create and execute a batch file named 'dfuuE.bat' in the user's profile directory. The batch file contains obfuscated commands, likely for downloading and executing a second-stage payload. The 'SE_INVOICE_LURE' heuristic and the document body text suggest a social engineering tactic using a fake invoice to prompt macro execution.

Heuristics 4

  • VBA instantiates/executes content from worksheet cells critical OLE_VBA_CELL_GETOBJECT_EXEC
    VBA passes a worksheet cell/comment reference to GetObject and drives an Exec/Open/Run sink. Malware hides the COM moniker and command in cell data so the macro source carries no literal indicators.
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
ae90e9b865026aba5be8261caf4c224c6f1fddd354a073e6cb857a51cb0c4a01		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1894 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.