Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 3372c6df7ddb40ba…

MALICIOUS

Office (OLE) / .XLS

54.0 KB Created: 2022-11-08 07:28:13 Authoring application: Microsoft Excel First seen: 2022-11-08
MD5: d5854c6b6bcfa4d0483ebf98a26b4e63 SHA-1: 1ee35fc4c2eeefbfaf4cd3119220ff34c08f1635 SHA-256: 3372c6df7ddb40baf2e7dfde2c1f5ba3642665d22d477eded1ca432f8321a996
228 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The sample is an XLS file containing VBA macros that heavily utilize WScript.Shell and CreateObject, indicating an attempt to execute arbitrary code. The script attempts to download content from a remote source using the 'cominciarono' function, which constructs a URL from obfuscated strings. The presence of 'Shell()' and 'WScript.Shell' calls strongly suggests the execution of a second-stage payload.

Heuristics 6

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c1ff1a2d1054fe1a8a113d6651c29552579fbbc7bd21d2b7c911c234757d5943		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3839 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.