Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 4f3eca65d342de5b…

MALICIOUS

Office (OLE) / .XLS

123.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-08-11
MD5: 7eeb6c4c06e2b7f1b61dcbcc5ed1cf2f SHA-1: 77d637d3c716cbc95626efb9483bc9e39d34e765 SHA-256: 4f3eca65d342de5bb3f92364f8639d1c492d450cdeff7e69583a198e3ade465c
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1140 Deobfuscate or Obfuscate Malicious Code

The VBA macro attempts to copy the contents of the first OLE object (likely the embedded invoice) and paste it into a JavaScript file named 'afJNP.js' within the user's AppData\Roaming directory. It then attempts to execute this JavaScript file. The 'SE_INVOICE_LURE' heuristic further supports the invoice-based social engineering pretext. The macro's obfuscated nature and reliance on external execution lowers confidence slightly.

Heuristics 4

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
ea33d852cb533bab1fe69e0dd47a6f2cdcc582a7fb62fa43acbc17d979402d21		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1099 bytes
ole10native_00.bin
aba823bb89d36efdc6ee786dd6a0d1a69b6bf3e6fe2e70922a23c46c9ba609a7		 ole-package OLE Ole10Native stream: MBD0945190C/Ole10Native 1613 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.