Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 5c8af7d1bee8d703…

MALICIOUS

Office (OLE) / .XLS

48.5 KB Created: 2020-10-06 08:00:16 Authoring application: Microsoft Excel
MD5: 4b0583be057cdae38cefc8aeb3969dfe SHA-1: 336652280bb6ea8f75798d4900588afadd193825 SHA-256: 5c8af7d1bee8d7037671533feee482eba4a6d9009bd3665a283217a94315c002
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The critical heuristic indicates that a VBA ActiveX event triggers a decoded Excel 4.0 macro. The VBA script itself contains a loop that decodes a string and then executes it using ExecuteExcel4Macro. This pattern strongly suggests the macro is designed to download and run a secondary payload, a common technique for initial execution.

Heuristics 2

  • VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER
    The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
0ab6c9b641d579dee4a5d0b5210c2a6f66e1b295e83e6c7b9c294e3f4c29d035		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1237 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.