Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 5399ac9fbd893d6f…

MALICIOUS

Office (OLE) / .XLS

479.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-05-17
MD5: 9478b76f09e365f0b297df56953530b4 SHA-1: 452f781439903f94931cd2da26f1c74e91a0a33f SHA-256: 5399ac9fbd893d6f0fb45f155902ca710722f05a3ac3266a8e50d9141ff81a12
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1219 Remote Access Software

The file is an Excel spreadsheet containing VBA macros. The presence of a GetObject call and Environ() function calls within the VBA code suggests the macro is designed to execute arbitrary code. The Workbook_Activate subroutine is present, indicating that the macro will execute upon opening the document. The extensive use of commented-out MsgBox calls suggests an attempt to obfuscate the actual malicious functionality. Without further deobfuscation or network activity, the exact payload and intent remain unclear, but the macro execution is the primary indicator of malicious activity.

Heuristics 3

  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
89f1542c51f51c849d146fdede3313a47ca9d30fa31efc8cc6650801c6c58339		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3434 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.