Office (OLE) / .XLSX malware analysis — malicious · 4b5b7ba419007315

MALICIOUS

Office (OLE) / .XLSX

150.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel

MD5: d349679429c45116c96edcee92722401 SHA-1: e976e054b87fa89518d94cba559583f3a9a3c2da SHA-256: 4b5b7ba41900731539310f5d94ef42cf212d5bd4e3ff475f9cb7e11f40d9a841

188 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.003 Windows Command Shell

The file contains VBA macros that utilize ShellExecute and CreateObject functions. These functions are commonly used to download and execute malicious payloads. The presence of these indicators suggests a macro-based downloader attack pattern. No specific family could be identified.

Heuristics 6

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `0fb28b191000829b68e514dcf5340bd68d62c64c1e5ef08bd54a5aca354cd189`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9708 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 shell/COM execution token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.