Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 42f707578183b438…

MALICIOUS

Office (OLE)

119.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel
MD5: c5796271dc516963cec2d95ce932fe9d SHA-1: c3ed9c74d5e2561d7f9a1cf6d80de3e00b54c2a0 SHA-256: 42f707578183b438654ceadc84bec5753dbca1febbc344856ce89e4747eb3f55
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Excel file containing VBA macros. The Workbook_Activate subroutine extracts URLs from cells A5, A6, and A7, then uses a obfuscated function to construct and execute a PowerShell command via ShellExecute. This PowerShell command is designed to download and execute a second-stage payload, indicating a downloader or droppper functionality.

Heuristics 3

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
e063bbac99b90d9fe9f6e42ccab8fbbc8164d48f2fbb00af8b98d05773f7a29c		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1410 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.