Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 43ef6281ee4e7594…

MALICIOUS

Office (OLE) / .XLS

80.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel
MD5: ee6df130bd33ff66bf0d483a686e93e1 SHA-1: aaa6ad02c4d60038aea54e2da8cdd0ceecf129bb SHA-256: 43ef6281ee4e7594ba0c9d9d5b1e97fa2898463b7e45309cf7f21ae6a1512442
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample is an Excel file containing VBA macros. The Workbook_Activate subroutine is triggered upon opening, which concatenates strings from cells C4 and C5 to form a URL, then passes this to a function that uses CreateObject and CallByName to execute it. The script reconstructs the URL as 'ping google.com;http://www.google.com/images/branding/googlelogo/1x/googlelogo_color_272x92dp.png'. This indicates the macro is designed to download and execute a second-stage payload.

Heuristics 3

  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
fb4223956d937c7282dba32b46e1f1c2b3a989593590a07eb621ecd72cf957d1		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1524 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.