Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 47146f8d8b46a395…

MALICIOUS

Office (OLE) / .XLS

452.0 KB Created: 2020-10-06 09:16:54
MD5: 90b96f55ad5ad57ae1dd60ca025df039 SHA-1: cf29e94c27dfa7a339b588564ec1bb336c21017d SHA-256: 47146f8d8b46a395adabd4c961732aa28c28b08776d1a0e91a71b66da0eb767b
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The sample is a macro-enabled Excel file with a Workbook_Open macro that executes a PowerShell command. This command downloads a JPG file from 'http://192.236.178.80/i8/maggis.jpg' and saves it as 'C:\Users\Public\qfuyeded.exe', then executes the saved file. This indicates a downloader pattern aiming to fetch and run a second-stage payload.

Heuristics 4

  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
179fecb44907f77dc55cb75e1de205ba11390f6230320395beae0c530716a4f5		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1259 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.