Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 46be7e5ff54d80a5…

MALICIOUS

Office (OLE)

85.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel
MD5: 8b411ff95bed3000d6d34b1408ee256c SHA-1: 18b758b6d8a88959a98eeff1a0b0f9dbb255cd9c SHA-256: 46be7e5ff54d80a5d0c9d62556b05ef3db74337cbfcdc543b882ffb60e491ed3
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

This Excel document contains VBA macros that leverage the CreateObject function to instantiate an object. This object is then used to call ShellExecute with a command constructed from data within the document's cells. The `ShellExecute` API call, combined with the `CreateObject` call, strongly suggests the macro is designed to download and execute a second-stage payload. The specific URL or command is obfuscated within cell data, preventing direct extraction, but the intent is clear.

Heuristics 3

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
f562a490c22ee88dc91d0b534c6a5eb6176c1bf90916f9f46bad6ffea01af772		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1532 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.