Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 1d81d40e7c25a2bc…

MALICIOUS

Office (OLE) / .XLSX

265.5 KB Created: 2023-02-13 22:11:10 Authoring application: Microsoft Excel First seen: 2023-02-20
MD5: ea09ae5a53e9b4f038060986d539f399 SHA-1: 5f576e6b75e3d25f2d86b9bc40f7dae9e0a709c8 SHA-256: 1d81d40e7c25a2bc83dd91ef3412fc639feee08ecdaa36311411909ec56681db
340 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1218 Signed Binary Proxy Execution T1105 Ingress Tool Transfer T1027 Obfuscated Files or Information

The sample is a macro-enabled Excel file containing an obfuscated auto-exec loader within the Workbook_Open event. It utilizes VBA functions like CreateObject and GetObject, along with calls to Windows APIs such as LoadLibraryA, GetProcAddress, and VirtualProtect, indicating it attempts to load and execute shellcode. The script also reconstructs the string "amsi.dll" from hexadecimal values, suggesting it may attempt to bypass security measures.

Heuristics 9

  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
8ca82ccddb33fed385c8205f8fe8445b601bc6d79345c63d8d99b50fa69de99e		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 170198 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.