Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 559b4ec0b99a8e26…

MALICIOUS

Office (OLE) / .XLSX

1.62 MB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel
MD5: a34a2058c8eec7685d35736f193b187c SHA-1: 1009d8aeb10174624cff7dde7307610b4a9c6fb8 SHA-256: 559b4ec0b99a8e268d3dddd0c6a73f04317cdc9f597255fd1ce90015dfcfaea0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.005 Visual Basic T1204.002 Malicious File

The sample is an Excel spreadsheet containing VBA macros. A heuristic indicates a 'macro/content-enable lure', instructing the user to enable macros. The presence of CreateObject and CallByName calls suggests the macro is designed to execute arbitrary code, likely to download and execute a second-stage payload. No specific family could be identified.

Heuristics 4

  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b467d81e99f59c0059f5aaf05cf5899a6171053d06319f771455ab0e8e14aa93		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3218 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.