Office (OLE) / .XLA malware analysis — malicious · 5792179938b4b181

MALICIOUS

Office (OLE) / .XLA

245.5 KB Created: 2004-06-21 13:24:37 Authoring application: Microsoft Excel

MD5: 254c3354e63fb447e3123458d3a46fbd SHA-1: fbadf0bb9899c141167883f1209a27fd2f58eb9a SHA-256: 5792179938b4b181d1b50ce3e2072cfd468d641274da66e0f037c47978573e7c

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.003 Windows Command Shell

This Excel macro-enabled file (XLA) contains VBA code that utilizes the Shell() function, a critical heuristic firing. This indicates the macro is designed to execute external commands. The embedded URL, while local, suggests a potential command-and-control or download mechanism. The presence of Auto_Open suggests automatic execution upon opening the file.

Heuristics 5

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://localhost/issweb/ASP/WebForm.Aspx?LocalInvoke=true&Init=true&

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `b6bc7496057a54df39e5179f889ff81d0c6dc4080b402406810c00fb6d77899a`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	57947 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.