Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 5b80c3f3f422ec4f…

MALICIOUS

Office (OLE) / .XLS

32.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-09-13
MD5: a2148f3dbb2d3ec84d017e2dfdb28495 SHA-1: a72ad82e86134e7bccb7e29cfba1236cc353d4e3 SHA-256: 5b80c3f3f422ec4f04d9864ed0feb9fe60ecc24a61cd8066c7f7978cc3cc2ab8
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The embedded VBA macro utilizes a CreateObject call to execute a PowerShell command. This command is obfuscated but reconstructs to download and save a file named 'notepid.exe' to the temporary directory from the URL 'http://reverse-karev-ag-admin/tsim-dnwoloC.exe'. The PowerShell script then executes this downloaded file.

Heuristics 3

  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a00dd553a95045a83d558ab3dcaef22ec2cd764d313040e3f69fe4c53d8c9ee7		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1380 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.