Office (OLE) / .XLSX malware analysis — malicious · 253ab1811ec9c8b3

MALICIOUS

Office (OLE) / .XLSX

235.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-09-07

MD5: f1c6f8311505b2070c67b46d2e2f3e4d SHA-1: 9f41d10e34ab82b47a72d5dd61b3a7df3bf32ecd SHA-256: 253ab1811ec9c8b3674e31578a1c7c5ac1cd30311c271a567f6a0dd9e00b9ad2

102 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The VBA macro within the Excel file utilizes Shell.Application and CreateObject to construct a path within the user's AppData directory. It then attempts to create a JavaScript file named 'HULIc.js' and a text file named 'HULIc.txt' in that location. The use of Shell.Application and the creation of executable scripts strongly suggest the intent to download and execute a second-stage payload.

Heuristics 4

Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `cf15ea4d74bd0ae0e80941e347333e7442a59668ef473753a5d9439d87e38454`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1392 bytes
`ole10native_00.bin` `a5de1106ae28ed9be0d10f69c29948d397ac099f688ab9ac230b2782589b701a`	ole-package	OLE Ole10Native stream: MBD01B2D2A8/Ole10Native	1304 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.