Office (OLE) / .XLS malware analysis — malicious · 26d8119c8705d4d2

MALICIOUS

Office (OLE) / .XLS

50.5 KB Created: 2023-02-22 07:56:08 Authoring application: Microsoft Excel First seen: 2023-02-22

MD5: 399400ff61768ba9c5e026da92b50438 SHA-1: 7368b23236de01440c8862e644b9756408368e7f SHA-256: 26d8119c8705d4d2b24468c374d850a97588c30d0417194ae99540ad7fe8e19f

348 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer T1059.003 Windows Command Shell

The VBA macro contains critical heuristic firings for URLDownloadToFile and WScript.Shell usage, indicating it is designed to download and execute a secondary payload. The script attempts to obfuscate the download URL and uses WScript.Shell to execute commands, likely to facilitate further infection.

Heuristics 8

Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `b5fd42c5c704d2992adbadd21efb700764dc1f238891c28874b529b5f776e8f1`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2432 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.