Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 4074e2545397ee74…

MALICIOUS

Office (OLE) / .XLS

232.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-03-09
MD5: b03e0f6098a16f0ab208d7b33c17799e SHA-1: 0f9414753f9f1f2e41469a3f129cdf493bd4a001 SHA-256: 4074e2545397ee74f4073ed9b1161be0ee900ec44b9d6179c3f8198ac247eebd
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The VBA macro within this Excel file utilizes a GetObject call to write a VBScript payload, named 'WpPwf.vbs', to the user's AppData directory. The script is then executed, indicating a likely downloader or initial execution stage for further malicious activity. The Environ$("AppData") function is used to construct the full path to the dropped file.

Heuristics 3

  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
53c71408f032e759f16876eb4c228b0496ac139393454458212e61fb781e217a		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1525 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.