Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 3531f03ff33dc02b…

MALICIOUS

Office (OLE) / .XLSX

4.76 MB Created: 2006-11-08 15:21:05 Authoring application: Microsoft Excel First seen: 2023-02-01
MD5: 6a5f6e9aea3997f62df50de3b7da5dd0 SHA-1: 1799c398510d43dc8183677f37689c701e357c69 SHA-256: 3531f03ff33dc02b868d4eef0b60e4a3ecc5d6839599a35bd5222c7c54ca2c4f
622 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059.003 Windows Command Shell T1059 Command and Scripting Interpreter T1105 Ingress Tool Transfer

The sample contains critical heuristics indicating obfuscated VBA macros designed to execute arbitrary code. Specifically, it utilizes `ShellExecute` and `WScript.Shell` to launch external content, strongly suggesting it acts as a downloader for a second-stage payload. The presence of multiple suspicious URLs further supports this, as they are likely sources for the downloaded malware.

Heuristics 15

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER
    VBA code attached to an auto-firing ActiveX/UserForm control event (e.g. _Layout/_Change/_Painted) decodes a string with Replace/Split/Join/StrReverse/Chr and passes the recovered formula text to ExecuteExcel4Macro. This bridges VBA event activation into XLM formula execution to call Win32 APIs / drop payloads while evading AutoOpen and Shell keyword detection — a high-confidence macro stager, not a specific Office parser CVE.
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • x86 GetPC stub (CALL $+5; POP EBP) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EBP)
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://srcedit.pekori.jp/tool/share_e.txt
    • http://srcedit.pekori.jp/tool/share.txt
    • http://srcedit.pekori.jp/tool/method_e.txt
    • http://srcedit.pekori.jp/tool/method.txt
    • http://srcedit.pekori.jp/
    • http://news.yahoo.co.jp/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
09e238ba43bad89d2f85ce0d91ef68e5c745ec1c7e34574742291bc3e89b1a43		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 8388608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.