Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 31e9f81de3a87168…

MALICIOUS

Office (OLE) / .XLS

112.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-07-11
MD5: 1c43b021590009e8931b2ebf0eeaea1d SHA-1: 2d24d7774b5c142b973ff8022626bc74e1516114 SHA-256: 31e9f81de3a871687b0f0d4eabf9ca38e0a4fba3d59a1835f756f890c9a34d94
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The VBA macro code contains a `CreateObject` call and a function `DTlWH` that navigates to the URL `http://192.3.76.220/mac.txt` to download content. The script then attempts to execute this downloaded content. The values for the `CreateObject` call and the URL are dynamically retrieved from cells C107 and C106 respectively, indicating an attempt to obscure the payload.

Heuristics 3

  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.3.76.220/mac.txt

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
26127cca8b438a5087eb60f306860276130bd59306559440f78858b0f883cf18		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1221 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.