Office (OLE) / .XLS malware analysis — malicious · 3cb34400272d280f

MALICIOUS

Office (OLE) / .XLS

296.0 KB Created: 2020-09-24 12:06:31

MD5: fa392e8a9d22615b3149434c288d6bbd SHA-1: e5f212853846890ef0b5693170d23d8c62f60674 SHA-256: 3cb34400272d280f1a8c20bd52402e85d825784620ea42b0e68cf94a4101f0de

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.002 Spearphishing Attachment

The file is a malicious Excel spreadsheet containing VBA macros. The Workbook_Open event is triggered upon opening, which is a common technique for auto-execution. The macros employ string obfuscation and use CreateObject, indicating an attempt to download and execute a second-stage payload. No specific family could be identified, but the delivery mechanism is clear.

Heuristics 4

Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `355d5c2dcdda39ee7d4cb7478a5b9c96b13a7a4a26c7db1c547053b8f5d494d3`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6969 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 145 Chr/ChrW string-construction calls. Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.