Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 5add188d307788b3…

MALICIOUS

Office (OLE) / .XLS

33.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-04-13
MD5: 92d7dda54a7553e7419c37c781e21ea6 SHA-1: 63be12e4bc1ff386cd5a0888f1538c45f0948db6 SHA-256: 5add188d307788b3a20ca00b39425d0c5a622326422a357c931eed78acc893e8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The critical heuristic indicates that VBA macros instantiate and execute content from worksheet cells using GetObject. The macro code concatenates strings from cell notes to form a command that is then executed via GetObject, likely to download and run a second-stage payload. The specific command executed is constructed from Range("C4").NoteText, Range("C5").NoteText, Range("C6").NoteText, and Range("C7").NoteText.

Heuristics 3

  • VBA instantiates/executes content from worksheet cells critical OLE_VBA_CELL_GETOBJECT_EXEC
    VBA passes a worksheet cell/comment reference to GetObject and drives an Exec/Open/Run sink. Malware hides the COM moniker and command in cell data so the macro source carries no literal indicators.
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
d6dab9e0d0aaaf4c32d5e3242f8aead8b8e64b0e8b066d26d74cf96109d0f955		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1129 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.