Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 2a69de4e898f9ed8…

MALICIOUS

Office (OLE) / .XLS

34.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-03-01
MD5: e402d325370fb69d5163909b64c70bca SHA-1: 91d37535ca57ccf5815e4420863770e10d7d79e1 SHA-256: 2a69de4e898f9ed85e6e6375da8605830b6cf0a7c8cde4288a4d58b5c6fcf385
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1059.005 Visual Basic

The VBA macro uses ShellExecute and GetObject to copy an embedded object to the user's AppData directory and rename it to 'eudvr.js'. It then attempts to open this JavaScript file. The Environ$("AppData") call reconstructs the path to the user's AppData directory. The script also includes logic to wait for a file named 'eudvr.txt' to appear before renaming it to 'eudvr.js', suggesting a download or staging process.

Heuristics 5

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7d59a76256527e9033231b2ea3a92cadbd2c32531dd695abcd4ce11b427d8726		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1298 bytes
ole10native_00.bin
59eb56368afd24ef6de6e06caad014ebac89b6f404b9566a7362c8b241f7e0cd		 ole-package OLE Ole10Native stream: MBD08AF4F52/Ole10Native 1092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.