Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 48e19bd4ea5c8956…

MALICIOUS

Office (OLE) / .XLS

80.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel
MD5: ce96f7cdb3fdafb89cdfbecc7d37c801 SHA-1: 4ace7a01b4528bcc37d050f6c1da9229972d58cc SHA-256: 48e19bd4ea5c8956dd881d6b20b9624b5d5ed66bc74f9883aad1efad87d8d3f7
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1218.011 Signed Binary Proxy Execution: Rundll32

The sample is an Excel file containing VBA macros. The Workbook_Activate subroutine is triggered upon opening, which concatenates strings from cells C4 and C5 to form a command. This command is then passed to a function that uses CreateObject and CallByName, indicative of malicious macro execution. The script appears to download and execute a second-stage payload, as suggested by the 'ping google.com;' string which is likely a placeholder or part of a command to fetch external content. The specific payload or its destination could not be fully reconstructed due to obfuscation.

Heuristics 3

  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
fb4223956d937c7282dba32b46e1f1c2b3a989593590a07eb621ecd72cf957d1		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1524 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.