Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 53e615f0afc444f5…

MALICIOUS

Office (OLE) / .XLS

34.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-02-22
MD5: 07cad9b0c9bdbf1ff25e3d18d9e2b068 SHA-1: 6133cf19f2c573f1fd07afbeb8fc56e0b4d9bc35 SHA-256: 53e615f0afc444f5bcb472e3d23e175e028a0a0b27661579d205051be0cbd04f
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The VBA macro code within the sample utilizes ShellExecute and GetObject to extract an embedded OLE object. It then attempts to paste this object into the user's AppData directory, renaming a file from 'eudvr.txt' to 'eudvr.js' and subsequently opening it. This indicates a likely intent to download and execute a second-stage payload via JavaScript. The use of Environ$("AppData") and the renaming of a file to a .js extension strongly suggest this behavior. The presence of ShellExecute and PowerShell references further supports the execution of external code.

Heuristics 5

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7d59a76256527e9033231b2ea3a92cadbd2c32531dd695abcd4ce11b427d8726		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1298 bytes
ole10native_00.bin
59eb56368afd24ef6de6e06caad014ebac89b6f404b9566a7362c8b241f7e0cd		 ole-package OLE Ole10Native stream: MBD08AF4F52/Ole10Native 1092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.