Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 4e29416f27ab332b…

MALICIOUS

Office (OLE) / .XLS

823.5 KB Created: 2019-08-30 09:14:50 Authoring application: Microsoft Excel
MD5: b24573232df8a4bc23094f8f8fc7f6aa SHA-1: f3cb1e5a4e6a1a28150e9d9bf1f59b7614ec689a SHA-256: 4e29416f27ab332ba6f9d40f50bc0ad257f9f495c34a9c190d9041620045bda7
400 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a malicious Excel file containing VBA macros. Critical heuristics indicate the presence of a Shell() call and an embedded PE executable, suggesting the macro is designed to execute the embedded payload. The ClamAV detection of 'Win.Dropper.Hideproc-6663113-0' further supports its nature as a dropper. The embedded URL 'http://www.microsoft.com0' is likely used to download additional malicious content.

Heuristics 10

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Dropper.Hideproc-6663113-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Dropper.Hideproc-6663113-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.microsoft.com0
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
    • http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0Z
    • http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
aafcaaf90595ab36360aa7ebea1d205f695ebaa4733d161e0344dd0c919faf50		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 14318 bytes
embedded_office_000044f1.exe
79a6cd3cb2879c4d66eedcfe179f2305cb7db63d6596bbd56bee3bde2c14ee4f		 embedded-pe Office MZ+PE at offset 0x44F1 825615 bytes
Detection
ClamAV: Win.Dropper.Hideproc-6663113-0
Obfuscation or payload: unlikely
ole10native_00.bin
c64dcafa616038fea032c518953dfc75dfdce8774d27a2c205eadd410e71075a		 ole-package OLE Ole10Native stream: MBD0001C810/Ole10Native 611869 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.