Office (OLE) / .XLS malware analysis — malicious · 56ae8f22b7e43690

MALICIOUS

Office (OLE) / .XLS

89.5 KB Created: 2020-09-15 05:06:38

MD5: 266bb9364a80f6fe3bc88ad7a066d9d2 SHA-1: e2a3557aa1c9b902196367517598a643c6a87b40 SHA-256: 56ae8f22b7e4369050bd1663b8c5550522a17125bacb878e1f7d4ced0616b409

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

The file is an XLS document containing VBA macros, specifically a Workbook_Open macro, which is a common technique for initial execution. The heuristic 'EXTRACTED_FILE_STATIC_TRIAGE' indicates a long encoded blob and VBA auto-execution, suggesting the macro is designed to download and execute a second-stage payload. No specific family could be identified, and no IOCs were directly extractable from the provided evidence.

Heuristics 4

Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `06a9df0c0ea6877ae6076cbd57d60e12342e13a9661182432a7e42b0e6c456b3`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4195 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 long base64-like blob(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.