Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 26bd031cb4a5333b…

MALICIOUS

Office (OLE) / .XLS

37.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-03-18
MD5: 678b736d27eee36ebcf6c0843d9cb83a SHA-1: 57cdf9dbc688ad5796a92c10b3b74d9155763de9 SHA-256: 26bd031cb4a5333bbd77698f5aaf737cb108b4b9d30670d92218a8c31ec0abc7
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059.003 Windows Command Shell

The VBA macro uses Environ() to retrieve a path from the environment variables, likely AppData, and then uses GetObject to paste an embedded object. This object is renamed from a .txt file to a .js file, which is then opened. This indicates the macro is designed to download and execute a second-stage payload. The use of ShellExecute and GetObject points to a malicious intent to run arbitrary code.

Heuristics 4

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
cc201933b4ae3a3772b17a3715e7917ddb4fc3b1702a954fa704fcfab43279eb		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1143 bytes
ole10native_00.bin
a5fd0977ee71bc6abc9272ce60e816bd7481f37ea8d0171f1b1439c72062faaf		 ole-package OLE Ole10Native stream: MBD00F49C1F/Ole10Native 1108 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.