Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 4a3ace3a34826b36…

MALICIOUS

Office (OLE) / .XLS

212.5 KB Created: 2020-10-12 13:04:16 Authoring application: Microsoft Excel
MD5: 1970e11ed6fdb7c851e18fac8f88e44e SHA-1: 0062191102fcad2435af5bf3264536a964b811c1 SHA-256: 4a3ace3a34826b36c9055ade40a37f71a0359cf0fe963fcb8eba1cf5295ea505
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1566.002 Spearphishing Attachment

The sample is an Excel file containing VBA macros. The macros are heavily obfuscated but reconstruct to reveal a PowerShell command that downloads and executes a VBScript from a remote URL. The VBScript is also obfuscated but appears to establish persistence by writing to the Run key 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy'. The embedded URL and the persistence registry key are high-priority IOCs.

Heuristics 2

  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
641dfa83204f486a61249c3f1dbe5dc78da69b60b4ae91b28651b55215e1d4bb		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.