Malicious Office (OLE) / .VIR — malware analysis report

Static analysis result for SHA-256 50fbc55f01ea2505…

MALICIOUS

Office (OLE) / .VIR

150.0 KB Created: 1998-06-08 01:13:27 Authoring application: Microsoft Excel
MD5: ccd56358a4f6197754ca4cf2f42e3ace SHA-1: e39ade6e4dddf831de7641886007793a0d2caf1a SHA-256: 50fbc55f01ea2505aa6d705e8aae461a4b6755b3f5035b13bda1b836b6bcf8dd
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample is an Excel document containing VBA macros, including Auto_Open and Auto_Close functions, which are commonly used to execute malicious code. Heuristics indicate the presence of ShellExecute API calls and VBA string obfuscation, suggesting the macros are designed to download and execute a payload. The embedded URL http://my.netian.com/~ppenguin is likely part of this download mechanism.

Heuristics 7

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://my.netian.com/~ppenguin

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
fba58534e373e8211a73f4e5bfba3e68213db65150b25b2abc493b0d35a24700		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 35384 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 shell/COM execution token(s). Carved artifact contains 15 Chr/ChrW string-construction calls.

Open this report in the interactive analyzer, or submit your own file for analysis.