Office (OLE) / .XLS malware analysis — malicious · 4dee797ef5aba24f

MALICIOUS

Office (OLE) / .XLS

80.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel

MD5: ef8ea109ee8758a02651be12a959a91e SHA-1: bbf8c0ec5a83a6619e1c8133d71f1844a38b7847 SHA-256: 4dee797ef5aba24ff87a0c49673254f0b7073930c2e8d55d562264ab6ba20568

100 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1218.011 Signed Binary Proxy Execution: Rundll32

The sample is an XLS file containing VBA macros. The Workbook_Activate subroutine is triggered upon opening, which concatenates strings from cell notes to form a command. This command is then passed to a function that uses CreateObject and CallByName, indicating dynamic code execution. The script appears to be designed to download and execute a second-stage payload, as suggested by the 'ping google.com;' string which is likely a placeholder or part of a command to fetch external content. The specific strings used in the script are obfuscated, but the overall pattern points to a downloader.

Heuristics 3

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `fb4223956d937c7282dba32b46e1f1c2b3a989593590a07eb621ecd72cf957d1`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1524 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.