Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 38628d0efd3cc7f7…

MALICIOUS

Office (OLE) / .XLS

112.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-03-01
MD5: 86f93e8b12d96eb7213f7655ed9e5544 SHA-1: f8cebfa2bab09f2523a0094eed5e7ea079892bf6 SHA-256: 38628d0efd3cc7f7edf40e9ee61b41df85f85841b2ee096fae0220e2b80740e1
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1059.001 PowerShell

The sample is an Excel file containing VBA macros. The Workbook_Activate subroutine is designed to execute upon opening the spreadsheet. It extracts text from 'TextBox 1' and 'TextBox 2' and uses GetObject to write the content of 'TextBox 1' to a file named 'nRSdr.vbs' in the user's AppData directory. The Environ$('AppData') call reconstructs the path to the AppData folder. The script then attempts to execute this dropped VBScript. This indicates a macro-based downloader pattern.

Heuristics 3

  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
1f1b9a7d80726a8bde2c2231c8b99a82d2dc9d5597587405f66856bfe7a5da5a		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1525 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.