Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4a7c9c050c65d398…

MALICIOUS

Office (OLE)

2.61 MB Created: 2004-03-29 22:32:10 Authoring application: Microsoft Excel
MD5: 61cd1115d5cca48f1bb34f2ade23a397 SHA-1: a59bffe594bb2ece01ad68fcca3be34350567e55 SHA-256: 4a7c9c050c65d398660a89071411126cea898866709695afa2e3a39ba2bc34a7
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.002 Spearphishing Attachment

The file contains a large VBA macro, indicated by the OLE_VBA_MACROS heuristic. The OLE_VBA_CREATEOBJ heuristic suggests the macro attempts to instantiate objects, a common technique for executing arbitrary code. The SE_INVOICE_LURE heuristic points to the document body containing language related to invoices or payments, suggesting a phishing or scam lure. The EXTRACTED_FILE_STATIC_TRIAGE heuristic flags VBA Chr string obfuscation, confirming the macro is intentionally hidden. No specific network IOCs were extracted, but the presence of obfuscated VBA macros and an invoice lure strongly suggests a malicious intent, likely to download and execute a secondary payload.

Heuristics 5

  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/sharepoint/v3/contenttype/forms
    • http://schemas.microsoft.com/office/2006/metadata/contentType
    • http://schemas.microsoft.com/office/2006/metadata/properties/metaAttributes
    • http://schemas.microsoft.com/office/2006/metadata/properties
    • http://www.w3.org/2001/XMLSchema
    • http://schemas.microsoft.com/sharepoint/v3
    • http://schemas.microsoft.com/office/2006/documentManagement/types
    • http://schemas.openxmlformats.org/package/2006/metadata/core-properties
    • http://www.w3.org/2001/XMLSchema-instance
    • http://purl.org/dc/elements/1.1/
    • http://purl.org/dc/terms/
    • http://schemas.microsoft.com/office/internal/2005/internalDocumentation
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsd
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsd
    • http://schemas.openxmlformats.org/officeDocument/2006/customXml

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
2bd477bc5aef8bf0e7dc316b2b9f6ee130891a338ae71122ca2450bfae587622		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 88067 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 17 Chr/ChrW string-construction calls.

Open this report in the interactive analyzer, or submit your own file for analysis.