Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 40ef770b7e795ac4…

MALICIOUS

Office (OLE) / .XLS

33.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-04-14
MD5: dae044d98ed0f60f46ea1eb433101b14 SHA-1: e68ec776c041c7d58d69663ffe114f1da218f2b2 SHA-256: 40ef770b7e795ac45da6703d0ed205addf13a692ed3d3b2c2bb4acbaf71c3a19
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1218.011 System Binary Proxy Execution: Rundll32

The VBA macro within the Excel file utilizes the GetObject function, which is a high-severity heuristic finding. The script concatenates strings to form a command that is then executed. Specifically, it reconstructs the command by combining 'P' with the content of cell C6, and the content of cells C4 and C5. The GetObject function is called with the value from cell C7, which likely points to a COM object capable of executing arbitrary commands. This suggests the macro is designed to download and execute a second-stage payload.

Heuristics 2

  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
3a97af8a8adb892f74377ca32224f18dd555f321713e551dd53e68d3c12e3c2f		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1129 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.