Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 547e34240e1fed85…

MALICIOUS

Office (OLE) / .XLSX

120.5 KB Created: 2020-09-10 09:45:14 Authoring application: Microsoft Excel First seen: 2023-03-30
MD5: 0bb6ef7f4d8a29f57332c41e70f557b4 SHA-1: 1fadf8c516daa6a0e551cde40c6ba309810bf17e SHA-256: 547e34240e1fed85db1fb3a7e2a528290eb7ec5c64257b10fe6e2fc0654e3bc2
310 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1105 Ingress Tool Transfer T1071.001 Web Protocols T1059.001 PowerShell

The sample is an Excel file containing VBA macros that are automatically executed upon opening via Auto_Open and Workbook_Open. The script attempts to collect system information (OS version, IP address, hotfixes, processes, security products, AppLocker policies, ASR rules) and encrypts it using RC4 with the hardcoded key 'Im on the highway to hell'. This encrypted data is then sent to the domains 'noreply.ars-covid19.fr' and 'ars-covid19.fr/resources' via HTTP POST requests. The document body explicitly instructs the user to enable macros to view COVID-19 related information, acting as a lure.

Heuristics 10

  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://noreply.ars-covid19.fr�
    • https://ars-covid19.fr/resources�
    • https://noreply.ars-covid19.fr
    • https://ars-covid19.fr/resources

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
83a3c82e64c184b65851f2c8c8bf82656a7dee5aa8821a62760d1cffe28d4907		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 26737 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.