Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 3223a4a133fe5b15…

MALICIOUS

Office (OLE) / .XLS

231.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-04-29
MD5: 84aa6461b504b15ef3db76ce4da9749d SHA-1: 66dcb35b5bc819b49a5d44010bd3c0d25622a70c SHA-256: 3223a4a133fe5b15fb4ecbb31cf05585cbbcab2ccbf8f47e4721327ee4994688
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample is a macro-enabled Excel file that contains VBA code. The Workbook_Deactivate subroutine concatenates values from hyperlinks in cells A5 and A6, then passes this to a function `yyzzz`. The `yyzzz` function constructs a command string by concatenating "pow", a hyperlink from cell A7, the output of `jrPxKF` (" -Windo"), the output of `emrkdf` ("wStyle Hidden"), and the combined string from A5 and A6. This constructed command is then executed using `klsad().Exec`, which utilizes `GetObject` with values from hyperlinks in cells A8 and A9. This sequence strongly suggests the script is designed to download and execute a second-stage payload, likely via PowerShell, with a hidden window style. The `GetObject` call with a CLSID is a common technique for instantiating COM objects to execute commands.

Heuristics 2

  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
44655092cf951f4fd71eaf45da043acd223dd396722b461e9b59c0b189494cab		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1610 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.