Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 44abd30e18e88e83…

MALICIOUS

Office (OLE) / .XLS

50.5 KB Created: 2023-02-07 14:17:09 Authoring application: Microsoft Excel First seen: 2023-02-08
MD5: 23fb0a4c57023913654aaee841607627 SHA-1: dcf851d132104cff226c980a468ac22602a8c0dd SHA-256: 44abd30e18e88e832a65a29ce56c9c570d7f0a3b93158e5059722d89782a750c
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1059.003 Windows Command Shell

The VBA macros contain critical heuristic firings indicating the use of Shell() and HTTP download with file saving, strongly suggesting a downloader. The script attempts to download content from 'http://112.b5bp0li78ne3.c4o0m4', saves it to a temporary file, and then executes it using a constructed command line. This indicates a clear intent to fetch and run a secondary payload.

Heuristics 5

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
62d8586f12a929bffff111fb53112605ccf30ec47b77aa9ff469415a48926dc5		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1988 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.