Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 59ba6d5636e63e9d…

MALICIOUS

Office (OLE) / .XLS

36.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-04-20
MD5: fd26640516af160bc89aff8d0e461e36 SHA-1: 89d518ebf57acc07a7cbd9a948335c481e954168 SHA-256: 59ba6d5636e63e9dbdec9b92014e934537b2f64b5d40864a500dc53ee42714f8
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell

The VBA macro within the Excel file is designed to execute a PowerShell command. This command reconstructs a URL from concatenated strings and downloads a file named 'notepads.vbs' to the user's temporary directory, which is then executed. The script uses GetObject to interact with WMI, likely to facilitate the execution of the downloaded payload. The specific URL reconstructed is 'http://moc.ehgityennikcm//:ptth'.

Heuristics 2

  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
fc12d67280e7f3600e15fabc6a01e9a93c47b3300c702432ef17c95a623853a6		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1426 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.