Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 1eeb11946bb96ec1…

MALICIOUS

Office (OLE) / .XLSX

165.0 KB Created: 2021-08-17 12:24:08 Authoring application: Microsoft Excel
MD5: b4aeb76e6cc54cde75cb37f30c96d4f5 SHA-1: 4113dafa1ace5182b544dedb52be7e767d45cddb SHA-256: 1eeb11946bb96ec1b749e246e4e56d2952264cffc370fc660c554de7cbd18ad4
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1218.011 Signed Binary Proxy Execution: Rundll32

This XLSX file contains a VBA macro that leverages the ScriptControl object to execute code. The macro's `Auto_Open` function is triggered upon opening the document. It dynamically loads code from the document's 'Subject' and 'Comments' properties into the ScriptControl, which is a known technique for executing arbitrary commands. This indicates the file is designed to download and execute a second-stage payload.

Heuristics 3

  • MSScriptControl.ScriptControl — CVE-2015-0097 high CVE likely CVE_2015_0097_SC
    MSScriptControl.ScriptControl — CVE-2015-0097
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
0278d22c57457c6ea65486c5e13f4b06bae683e9ef9fa360c905d1932da96848		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 862 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.