Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 40e5adc952e8c472…

MALICIOUS

Office (OLE) / .XLSX

1.30 MB Created: 2010-08-05 13:41:48 Authoring application: Microsoft Excel First seen: 2024-06-08
MD5: 9b57a1c10146136ab07052d49c75bf76 SHA-1: 23d56976bbc90ecd3c00581ba7cd379c2b0b6c9c SHA-256: 40e5adc952e8c472e083a539cd67ac339132f2e41a2c99dd3083dd720c041673
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The file contains VBA macros that leverage the URLDownloadToFile API, indicating an intent to download and execute a secondary payload. The presence of CreateObject and Windows Script Host references further supports this malicious behavior. While specific URLs for the download were not explicitly found in the provided evidence, the technique itself is highly indicative of a downloader malware.

Heuristics 7

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.google.com/
    • http://www.google.com
    • http://schemas.microsoft.com/office/2006/metadata/contentType
    • http://schemas.microsoft.com/office/2006/metadata/properties/metaAttributes
    • http://schemas.microsoft.com/office/2006/metadata/properties
    • http://www.w3.org/2001/XMLSchema
    • http://schemas.openxmlformats.org/package/2006/metadata/core-properties
    • http://www.w3.org/2001/XMLSchema-instance
    • http://purl.org/dc/elements/1.1/
    • http://purl.org/dc/terms/
    • http://schemas.microsoft.com/office/internal/2005/internalDocumentation
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsd
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsd
    • http://schemas.openxmlformats.org/officeDocument/2006/customXml
    • http://schemas.microsoft.com/sharepoint/v3/contenttype/forms

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b4cfb2b6d50d68d44ab062289f333d31e22c3bb77e42cc8bb0e3f18d16533cf2		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1550621 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 21 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.