Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 2beef8eb7feb2252…

MALICIOUS

Office (OLE) / .XLSX

4.76 MB Created: 2006-11-08 15:21:05 Authoring application: Microsoft Excel First seen: 2023-01-29
MD5: 7e0362eb7a5600dbea8e536d9f89973a SHA-1: c3ca84a74d988c9e580281a620f8c16ea2bbe03e SHA-256: 2beef8eb7feb225209af1276076b3bb9b177c38123231ea5fc7a5f029e661b8e
622 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter T1105 Ingress Tool Transfer

The file contains critical heuristics indicating the presence of obfuscated VBA macros designed to execute code. Specifically, it utilizes `ShellExecute` and `WScript.Shell` to launch external content, likely a second-stage payload from one of the embedded URLs. The `Workbook_Open` and `Auto_Open` macros are commonly used to trigger malicious execution upon file opening.

Heuristics 15

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER
    VBA code attached to an auto-firing ActiveX/UserForm control event (e.g. _Layout/_Change/_Painted) decodes a string with Replace/Split/Join/StrReverse/Chr and passes the recovered formula text to ExecuteExcel4Macro. This bridges VBA event activation into XLM formula execution to call Win32 APIs / drop payloads while evading AutoOpen and Shell keyword detection — a high-confidence macro stager, not a specific Office parser CVE.
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • x86 GetPC stub (CALL $+5; POP EBP) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EBP)
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://srcedit.pekori.jp/tool/share_e.txt
    • http://srcedit.pekori.jp/tool/share.txt
    • http://srcedit.pekori.jp/tool/method_e.txt
    • http://srcedit.pekori.jp/tool/method.txt
    • http://srcedit.pekori.jp/
    • http://news.yahoo.co.jp/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a52630687661a5cb62834d51292306fd75cd60cf9550a0977a31ab8f0c2cbdc8		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 8388608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.