Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2df69b7b1a4745e2…

MALICIOUS

Office (OLE)

85.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel
MD5: 3c2394f7d00d9f43557c7e32603cc87f SHA-1: 3dd1b6ac0cf5831ae903e6853d9720938b80823b SHA-256: 2df69b7b1a4745e2fe6057a1ca24d1f9c18cc1e143318e71d1c8d7f46233ae7c
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is an Excel file containing VBA macros. The macros construct a string and use CreateObject to call ShellExecute, which is a high-severity heuristic firing. The function qkXSn constructs a string that starts with 'P' and concatenates it with a variable 'n1' which is derived from cell values. This string is then passed as the first argument to ShellExecute, indicating an attempt to execute a command. The function cTNQhWD reverses a string, suggesting obfuscation.

Heuristics 3

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
bb2854983dc41e1a764f63200903ae2cbd58ceaea53411b5651d3b57d857c7bb		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1532 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.