Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 6185e54b0bee1fe6…

MALICIOUS

Office (OLE) / .XLS

55.0 KB Created: 2010-04-21 15:02:30 Authoring application: Microsoft Excel
MD5: ff50a72d69172b6cf271a81be55c79ea SHA-1: bfb30555162fce319d2aa1334f72cdb8d3702c77 SHA-256: 6185e54b0bee1fe6cf907dc2beca375406e45a6548d647b31707be0c6c5c267b
330 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The Excel file contains a Workbook_Open VBA macro that is configured to execute automatically when the workbook is opened. This macro references ShellExecute and LoadLibrary APIs, and also contains an embedded PE executable. The macro likely attempts to download and execute a second-stage payload from the URL http://63.149.37.205/index.php. The presence of the embedded executable and the use of ShellExecute suggest a downloader or dropper functionality.

Heuristics 11

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Embedded PE executable high OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • x86 push-string-call medium SC_PUSH_STRING
    Shellcode-style PUSH imm32 sequence builds an execution, network, or Windows API string on the stack
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://63.149.37.205/index.php?arch=i386&os=windows&version=unknown&c=fD6lPYFa&t=fdd3083cafcc635a&random=1043839238

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
2fdd955d2e23be236457003edd7b5126a32f7434d188b51fc8e13307fa4cce95		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 4367 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.