Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 2ca19738b12df6b1…

MALICIOUS

Office (OLE) / .XLS

218.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel
MD5: c8ecb662e44e8b5bba818086edd67ae1 SHA-1: 54d122a459b479d8aeabf9f63147fc9d132320e0 SHA-256: 2ca19738b12df6b1608c990842b0c20b25c35755a0119fe379ed532d0b069a6f
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1218.011 Signed Binary Proxy Execution: Rundll32

The sample is an XLS file containing VBA macros. The macros utilize CreateObject and CallByName functions, indicating potentially malicious activity. The script attempts to reconstruct a command by concatenating strings, including 'ping google.com;', which is then passed to a dynamically created object. The exact purpose of the script is obfuscated, but it appears to be designed to execute arbitrary commands or download further payloads.

Heuristics 3

  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
1cdaa9864ecdde58b28321cc1e30764e21916bf6ae4d71181b31667494336d5a		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1748 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.