Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 5ade0c4492ffe4b7…

MALICIOUS

Office (OLE) / .XLS

85.0 KB Created: 2020-05-06 06:29:58 Authoring application: Microsoft Excel
MD5: ebff30b57026558d783c94648e588c7f SHA-1: 83b433cb44815102ea045ebb5106361946694377 SHA-256: 5ade0c4492ffe4b77776543635a5cad0eef6d4a207f69dac0a59f9ad76aa42ba
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an Excel file containing VBA macros. The macros utilize WScript.Shell and CreateObject, indicating an attempt to execute arbitrary code. The document body mentions 'DHL', suggesting a lure for phishing. The VBA code constructs a string and attempts to execute it using WScript.Shell, likely to download and run a second-stage payload.

Heuristics 5

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
da87fa233d01af0a2f6ae7abecc4f138e56e2242024847e51d8d608dc9a6a8c4		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1146 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.