Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 20e2093192e7b7b9…

MALICIOUS

Office (OLE) / .XLS

33.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-10-20
MD5: 633ac0a161e40c4f05f8f8ecc295b72d SHA-1: 2e6ab911c6bae7fabae7c111a463b8f03545e0f6 SHA-256: 20e2093192e7b7b96c067cd8f16cee4ccb51e8c10676050646877bc83dc34a27
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic

The sample contains VBA macros that leverage a CreateObject call, indicative of malicious intent. The macros construct and execute a PowerShell command that downloads a JavaScript file from the URL 'http://qg.6sjah-uiu//:ptth' and saves it as 'notepad.js' in the temporary directory. This script is then executed, likely to download and run a further payload. The VBA code also attempts to establish persistence by writing to the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy.

Heuristics 3

  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
5d26f4d404325f5129edf595f2e0fddb4f3801cccce68d0e845d7fb57869e0f9		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1493 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.